8 posts tagged with "postgresql"

Published: 2025-01-16

When the LLM Council reviewed our RBAC implementation (ADR-032), the verdict was unanimous and uncomfortable: REQUEST_CHANGES. The core problem? Our "simple" role model was a ticking time bomb. A user with WRITE permission could modify any resource in the system—Team A's runbooks, Team B's SLOs, production configurations they had no business touching.

This post details how we addressed Issue #450 by implementing scoped role bindings, transforming our authorization model from a liability into a proper multi-tenant foundation.

The Problem​

Our original RBAC model was deceptively simple:

class Permission(Enum):
    READ = "read"
    WRITE = "write"
    DELETE = "delete"
    ADMIN = "admin"

Users were assigned roles (admin, editor, viewer) that mapped to these permissions globally. The LLM Council identified several critical gaps:

1. No Resource Scoping: A Team-A editor could modify Team-B's runbooks
2. No Environment Separation: Couldn't be Admin in staging but Viewer in production
3. Missing Operational Verbs: No DEPLOY, SCALE, or SILENCE_ALERT permissions
4. No Audit Trail: Permission checks weren't logged for compliance

The "blast radius" of any permission was the entire system. For an SRE platform managing production infrastructure, this was unacceptable.

The Solution​

We implemented a three-layer scoping model:

User → Role → Scope → Permission

Scope Model​

Scopes define boundaries for resource access:

class AuthScope(Base):
    __tablename__ = "auth_scopes"

    scope_type: Mapped[str]   # team, environment, service, organization
    scope_value: Mapped[str]  # team-alpha, production, api-gateway
    parent_id: Mapped[str]    # For hierarchy (org → team → project)

The hierarchy enables inheritance—organization-level access flows down to teams within that org.

Scoped Role Bindings​

Instead of global role assignments, users now have scoped bindings:

class AuthRoleScopeBinding(Base):
    __tablename__ = "auth_role_scope_bindings"

    user_email: Mapped[str]      # Who
    role_id: Mapped[str]         # What role
    scope_id: Mapped[str]        # Where (team, env, etc.)
    expires_at: Mapped[datetime] # Time-bound access
    assigned_by: Mapped[str]     # Audit: who granted this
    reason: Mapped[str]          # Audit: why granted

This enables scenarios like:

• Alice: Admin in Team-Alpha, Viewer in Team-Beta
• Bob: Deployer in staging, Reader in production
• Carol: On-call engineer with SILENCE_ALERT for 8 hours

Operational Verbs​

We added SRE-specific permissions:

class Permission(str, Enum):
    # Basic CRUD
    READ = "read"
    WRITE = "write"
    DELETE = "delete"
    EXECUTE = "execute"
    ADMIN = "admin"

    # Operational verbs (Issue #450)
    APPROVE = "approve"         # Approve deployments, changes
    DEPLOY = "deploy"           # Deploy to environments
    SCALE = "scale"             # Scale services
    SILENCE_ALERT = "silence_alert"  # Silence during maintenance

Implementation​

Scoped Permission Checker​

The core permission checker evaluates access within context:

class ScopedPermissionChecker:
    def check_scoped_permission(
        self,
        user: UserInfo,
        required_permission: Permission,
        resource_context: dict[str, Any],  # {"team": "alpha", "env": "prod"}
    ) -> bool:
        # 1. Get user's scope bindings
        bindings = self._get_user_bindings(user.email)

        # 2. Filter to active (non-expired) bindings
        active = [b for b in bindings if not b.is_expired]

        # 3. Check if any binding grants access
        for binding in active:
            if self._scope_matches_context(binding.scope, resource_context):
                if required_permission in self._get_role_permissions(binding.role):
                    return True

        return False

Audit Logging​

Every permission check is logged with structured fields:

def _log_permission_check(self, user, permission, context, result):
    log_data = {
        "user_email": user.email,
        "permission": permission.value,
        "resource_context": context,
        "result": "granted" if result else "denied",
        "scope_path": self._build_scope_path(context),
    }

    if result:
        logger.info(f"Permission granted", extra=log_data)
    else:
        logger.warning(f"Permission denied", extra=log_data)

Usage in Routes​

Protecting endpoints with scoped authorization:

from core.auth.scoped_rbac import ScopedPermissionChecker, create_scope_resolver

team_resolver = create_scope_resolver(
    scope_type="team",
    extract_scope=lambda r: r.path_params.get("team_id"),
)

@app.delete("/teams/{team_id}/runbooks/{runbook_id}")
async def delete_runbook(
    team_id: str,
    runbook_id: str,
    user: UserInfo = Depends(get_current_user),
    db: Session = Depends(get_db),
):
    checker = ScopedPermissionChecker(db)

    if not checker.check_scoped_permission(
        user, Permission.DELETE, {"team": team_id}
    ):
        raise HTTPException(403, "Not authorized for this team")

    # Safe to proceed—user has DELETE in this team's scope

Results​

Before: Global Permissions​

alice@example.com → editor → {READ, WRITE}  # Everywhere!

After: Scoped Bindings​

alice@example.com → editor → Team-Alpha/staging     → {READ, WRITE}
alice@example.com → viewer → Team-Alpha/production  → {READ}
alice@example.com → (none)  → Team-Beta/*           → (no access)

Audit Trail​

{
  "timestamp": "2025-01-16T10:30:00Z",
  "user_email": "alice@example.com",
  "permission": "write",
  "resource_context": {"team": "team-alpha", "environment": "staging"},
  "result": "granted",
  "scope_path": "team:team-alpha -> environment:staging"
}

Lessons Learned​

1. Start with scopes, not roles: If we'd designed with scopes from day one, the global-permission mistake wouldn't have happened.

2. Operational verbs matter: CRUD permissions don't capture SRE workflows. DEPLOY, SCALE, and SILENCE_ALERT are fundamentally different from WRITE.

3. Audit everything: The compliance team was delighted. Every permission check now has a paper trail.

4. Time-bound access enables break-glass: On-call engineers get elevated permissions that auto-expire after their shift.

5. Hierarchy simplifies management: Org → Team → Project scope hierarchy means fewer bindings to manage.

Migration Path​

For existing users, we created a migration that:

1. Seeds default scopes (development, staging, production, default org)
2. Existing global roles continue working (backward compatible)
3. New scoped bindings can be added incrementally

What's Next​

With scoped RBAC in place, we can now:

• Implement capability-level permissions (per-entity access)
• Add break-glass workflows with automatic scope escalation
• Build a permission management UI for team leads
• Enable self-service scope requests with approval workflows

This post details the implementation of ADR-032: RBAC Model, resolving Issue #450.

Published: 2025-01-16

When the LLM Council reviewed our ClickStack integration (ADR-043), they identified a critical flaw: we were sending telemetry data directly from applications to ClickHouse without any buffering layer. The verdict was CONDITIONAL APPROVAL until we addressed this—and for good reason.

This post details how we addressed Issue #451 by implementing an OTel Gateway buffering layer, transforming our telemetry pipeline from a ticking time bomb into a resilient, production-ready system.

The Problem​

Our original architecture was deceptively simple:

[Apps] --OTLP--> [Collector:4317] --> [ClickHouse]

This looks clean, but under traffic spikes (incident response, deployment waves, load tests), the direct ingestion path creates serious problems:

1. "Too Many Parts" Errors: ClickHouse uses MergeTree storage that creates "parts" for each insert. Too many small inserts overwhelm the merge process.

2. Memory Exhaustion: The collector has no backpressure mechanism—it accepts data as fast as apps can send it, potentially causing OOM crashes.

3. No Retry Safety: When ClickHouse briefly becomes unavailable, data is lost.

4. Cascade Failures: A spike in one service's telemetry can crash the entire observability pipeline.

The Council specifically called out:

"Direct OTLP→ClickHouse allows ingestion spikes to crash DB ('Too many parts'). Insert Kafka or aggregated OTel Collector Gateway between apps and ClickHouse."

The Solution​

We implemented a two-tier OTel Collector architecture with a dedicated gateway:

[Apps] --OTLP--> [Gateway:4317] --OTLP--> [Collector:4319] --> [ClickHouse]

Gateway Layer​

The gateway sits between applications and the ClickHouse-writing collector, providing:

• Memory Limiting: Prevents OOM under traffic spikes
• Batching: Aggregates small payloads into efficient batches
• Backpressure: Refuses data when overwhelmed (graceful degradation)

Collector Layer​

The collector focuses on ClickHouse-optimized writes:

• Large Batches: 10,000 rows per insert (vs 1,024 before)
• Retry Logic: Exponential backoff for transient failures
• Internal Only: Not exposed externally—only gateway connects

Implementation​

Gateway Configuration​

The gateway (gateway.yaml) is the first line of defense:

processors:
  # Memory limiter - MUST be first processor
  # limit_mib is the HARD limit; spike_limit_mib is subtracted
  memory_limiter:
    check_interval: 100ms
    limit_mib: 1536         # Hard limit (fits in 2GB container)
    spike_limit_mib: 256    # Soft limit at 1280 MiB

  # Batch processor - aggregates for efficient writes
  batch:
    timeout: 5s              # Max time to wait
    send_batch_size: 8192    # Target batch size
    send_batch_max_size: 16384

exporters:
  otlp:
    endpoint: otel-collector:4319
    sending_queue:
      queue_size: 500       # Conservative queue size (~4 MB)
    retry_on_failure:
      enabled: true
      initial_interval: 5s
      max_interval: 30s
      max_elapsed_time: 300s

The memory_limiter is critical—it tracks memory usage and applies backpressure when limits are reached. Understanding OTel's memory model is key: limit_mib is the hard limit (data refused above this), while spike_limit_mib defines a "buffer zone" (soft limit = limit_mib - spike_limit_mib). Backpressure kicks in at the soft limit; data is refused at the hard limit.

Collector Configuration​

The collector (collector.yaml) optimizes for ClickHouse:

processors:
  batch:
    timeout: 10s               # Longer timeout for larger batches
    send_batch_size: 10000     # ClickHouse handles large batches well
    send_batch_max_size: 20000

exporters:
  clickhouse:
    endpoint: tcp://clickhouse:9000?dial_timeout=10s&compress=lz4
    retry_on_failure:
      enabled: true
      initial_interval: 5s
      max_interval: 30s
      max_elapsed_time: 300s

The larger batch size (10,000 vs 1,024) dramatically reduces the number of parts created in ClickHouse.

Docker Compose​

The docker-compose.yml wires it together:

services:
  otel-gateway:
    image: otel/opentelemetry-collector-contrib:latest
    command: ["--config=/etc/otel-gateway.yaml"]
    ports:
      - "4317:4317"   # Apps connect here
      - "4318:4318"
    deploy:
      resources:
        limits:
          memory: 2G  # Container memory limit

  otel-collector:
    image: otel/opentelemetry-collector-contrib:latest
    command: ["--config=/etc/otel-collector.yaml"]
    # Note: 4317 NOT exposed - gateway handles external connections
    expose:
      - "4319"        # Internal only

Key points:

• Gateway exposes ports 4317/4318 (apps connect here)
• Collector does NOT expose 4317 externally (internal only)
• Gateway has explicit memory limits (2GB container)

Results​

Before: Direct Ingestion​

Traffic Spike (10x) → Collector overwhelmed → ClickHouse "Too many parts" → Data loss

After: Buffered Ingestion​

Traffic Spike (10x) → Gateway buffers → Memory limit applies backpressure →
Collector batches → ClickHouse receives ~1/10th the insert count → Stable

Key Metrics​

Lessons Learned​

1. Buffering is not optional: For any high-volume ingestion, a buffering layer is essential. The "simple" direct path is a trap.

2. Memory limits require thought: Setting limit_mib too low causes unnecessary data loss; too high risks OOM. Monitor and adjust.

3. Batch size matters for ClickHouse: ClickHouse performance depends heavily on insert size. Larger batches = fewer parts = better performance.

4. Two-tier architecture works: Separating "absorb spikes" (gateway) from "write efficiently" (collector) simplifies each component.

5. Test under load: We added load tests (test_telemetry_buffering.py) that simulate 10x traffic spikes. These catch issues before production.

Testing the Buffering Layer​

We created a Python module (backend/core/telemetry/buffering.py) that simulates the OTel Gateway behavior for testing:

from backend.core.telemetry.buffering import OTelGatewayBuffer, TelemetrySpike

buffer = OTelGatewayBuffer(
    memory_limit_mib=1800,
    spike_limit_mib=400,
    batch_timeout_seconds=5,
    batch_size=8192,
)

spike = TelemetrySpike(
    spans_per_second=1000,  # 10x normal
    duration_seconds=60,
)

metrics = await buffer.simulate_load(spike)
assert metrics.success_rate >= 0.99
assert metrics.error_count == 0

This allows testing buffering behavior without running the full OTel stack.

What's Next​

With the buffering layer in place, we can now:

• Add Kafka for even larger buffering capacity
• Implement tiered storage (hot/cold) in ClickHouse
• Add per-signal retention policies
• Build dashboards for gateway health monitoring

This post details the implementation of ADR-043: ClickStack Integration, resolving Issue #451.

Published: 2025-01-16

When an SRE responds to an incident, every second counts. Yet our dashboard was making them wait - not because the backend was slow, but because we'd accidentally created a request waterfall that serialized all our data loading. Here's how we fixed it.

The Problem​

Our React application followed a common but flawed pattern: lazy load the component code, render it, then fetch data. This creates what's known as a "request waterfall":

User Authenticates
  → Component Code Loads (100ms)
    → Component Renders
      → useQuery fires (network latency ~200ms)
        → Data arrives
          → Re-render with data

For our SRE Dashboard, this meant loading 6 different data sources sequentially:

1. Dashboard summary
2. Health scores
3. Top issues
4. Applications list
5. Active incidents
6. SLO status

Each waited for the previous to complete. A 50ms backend response became a 300ms waterfall when chained.

The LLM Council review of ADR-036 (Lazy Loading) caught this flaw:

"The lazy loading strategy is fundamentally flawed. Code → Render → Data pattern degrades performance (sequential instead of parallel)."

The verdict was REJECTED. We needed to fix this.

The Solution​

The fix is conceptually simple: fetch data in parallel with component code, not after.

User Authenticates
  ├── Component Code Loads (100ms)     ← PARALLEL
  └── preloadCriticalData() fires      ← PARALLEL
      ├── /sre-dashboard
      ├── /health-score
      ├── /applications
      ├── /incidents
      ├── /slos
      └── /error-budgets
  → Component Renders with data already in cache

We implemented this with three key pieces:

1. Critical Path Manifest​

First, we classified routes by urgency:

// frontend/src/utils/preload.ts
export const CRITICAL_ROUTES = {
  // Immediate - User likely to visit first
  IMMEDIATE: ['/sre-dashboard', '/incidents'],

  // Preload - User likely to visit soon after
  PRELOAD: ['/slos', '/slis', '/error-budgets', '/runbooks'],

  // Lazy - Only load when navigating
  LAZY: ['/settings', '/admin/*', '/analytics/*', '/reports/*'],
} as const;

This tells us what to preload aggressively vs. what can wait.

2. Shared Query Options​

We created reusable query options that both the preloader and components use:

// frontend/src/routes/loaders/sreLoaders.ts
export const queryOptions = {
  sreDashboard: (applicationFilter: string = 'all') => ({
    queryKey: ['sre-dashboard', applicationFilter],
    queryFn: async () => {
      const response = await apiClient.get(`/sre-dashboard?${params}`);
      return response.data;
    },
    staleTime: 30000, // Consider fresh for 30 seconds
  }),

  healthScore: (applicationFilter: string = 'all') => ({
    queryKey: ['sre-health-score', applicationFilter],
    queryFn: async () => {
      const response = await apiClient.get(`/sre-dashboard/health-score?${params}`);
      return response.data;
    },
    staleTime: 30000,
  }),
  // ... more query options
};

The key insight: by sharing queryKey and queryFn between preloaders and components, React Query automatically deduplicates requests and shares the cache.

3. Authentication-Triggered Preloading​

We created a hook that fires preloading immediately after authentication:

// frontend/src/hooks/usePreloadCriticalData.ts
export function usePreloadCriticalData(options: { enabled?: boolean } = {}) {
  const queryClient = useQueryClient();
  const preloadedRef = useRef(false);

  useEffect(() => {
    if (!options.enabled || preloadedRef.current) return;
    preloadedRef.current = true;

    // Fire all preloads in parallel
    preloadCriticalData(queryClient);
  }, [options.enabled, queryClient]);
}

The preloadedRef ensures we only preload once per session, even if the user navigates between routes.

4. App Integration​

Finally, we integrated the hook into App.tsx:

function App() {
  const { user } = useAuth();

  // Preload critical SRE data after authentication (Issue #452)
  usePreloadCriticalData({ enabled: !!user });

  // ... rest of app
}

Implementation Details​

The preload function fires 6 parallel requests using Promise.all:

export async function preloadCriticalData(queryClient: QueryClient): Promise<void> {
  console.log('[Preload] Starting critical data preload...');
  const startTime = performance.now();

  try {
    await Promise.all([
      queryClient.prefetchQuery(queryOptions.sreDashboard('all')),
      queryClient.prefetchQuery(queryOptions.healthScore('all')),
      queryClient.prefetchQuery(queryOptions.topIssues('all')),
      queryClient.prefetchQuery(queryOptions.applications()),
      queryClient.prefetchQuery(queryOptions.incidents('Active')),
      queryClient.prefetchQuery(queryOptions.slos()),
      queryClient.prefetchQuery(queryOptions.errorBudgets()),
    ]);

    const elapsed = performance.now() - startTime;
    console.log(`[Preload] Critical data loaded in ${elapsed.toFixed(0)}ms`);
  } catch (error) {
    // Don't throw - preloading is best-effort
    console.warn('[Preload] Failed to preload some critical data:', error);
  }
}

Note the error handling: preloading is best-effort. If some requests fail, the app still works - the component's useQuery will fetch the data normally.

Results​

The performance improvement is significant:

More importantly, the user experience improved:

• SRE Dashboard renders with data immediately after login
• Navigation between critical routes feels instant
• Cache remains valid for 30 seconds, reducing redundant requests

E2E Testing​

We added comprehensive E2E tests to verify the parallel loading behavior:

test('should preload critical API data after authentication', async ({ page }) => {
  const apiRequests: string[] = [];

  page.on('request', (request) => {
    if (request.url().includes('/api/')) {
      apiRequests.push(request.url());
    }
  });

  // Login and wait for preloading
  await page.goto(`${BASE_URL}/login`);
  await page.fill('input[name="email"]', 'admin@example.com');
  await page.fill('input[name="password"]', 'admin123');
  await page.click('button:has-text("Sign In")');
  await page.waitForURL(`${BASE_URL}/sre-dashboard`);
  await page.waitForTimeout(2000);

  // Verify critical endpoints were called
  const criticalEndpoints = ['sre-dashboard', 'health-score', 'applications', 'incidents', 'slos'];
  const foundEndpoints = criticalEndpoints.filter((endpoint) =>
    apiRequests.some((url) => url.includes(endpoint))
  );

  expect(foundEndpoints.length).toBeGreaterThanOrEqual(4);
});

Lessons Learned​

1. Lazy loading isn't always the answer. Sometimes it introduces worse problems than it solves. The code → render → data waterfall is a classic trap.

2. LLM Council reviews catch architectural issues. The REJECTED verdict on ADR-036 forced us to think harder about the performance implications.

3. React Query's cache is powerful. By sharing query options between preloaders and components, we get automatic deduplication and cache sharing.

4. Best-effort preloading is resilient. If preloading fails, the app still works. This makes the feature safe to deploy.

5. Critical path thinking matters. Not all routes need instant loading. Categorizing by urgency lets us focus resources where they matter most.

This post details the implementation of ADR-036 Issue #452 fix.

Published: 2025-01-16

Duplicate detection sounds simple: find things that are similar. But when your system uses multiple detection strategies, merging their results becomes the hard part. Our original implementation used a simple extend() pattern that created more problems than it solved. Here's how weighted scoring fixed it.

The Problem​

Our duplicate detection system used three complementary strategies:

The original merge logic was straightforward:

def _merge_results(main_results, new_results, method):
    """Just extend the lists"""
    for level in ["high_confidence", "medium_confidence", "low_confidence"]:
        if level in new_results:
            for item in new_results[level]:
                if item["id"] not in seen_ids:
                    main_results[level].append(item)

The problem? This treats all strategies as an unconditional OR. If vector says 0.85 similarity and keyword says 0.60 similarity for the same item, which wins?

With extend(), both get added - or worse, only the first one encountered is kept. We lose the precision that comes from multiple strategies agreeing.

The LLM Council review caught this immediately:

"Simple extend treats all strategies as OR → 'High CPU on DB-01' and 'High CPU on DB-02' incorrectly merged as duplicates. Vector catches semantic similarity; fuzzy text catches similar hostnames → distinct incidents merged."

The verdict was REQUEST CHANGES. We needed weighted scoring.

The Solution​

The fix required two conceptual shifts:

1. Weighted aggregation instead of simple append
2. Multi-strategy agreement as a confidence signal

Weighted Scoring Algorithm​

We combine strategy scores with configurable weights:

@dataclass
class WeightedScoringConfig:
    vector_weight: float = 0.5   # Semantic similarity is most reliable
    text_weight: float = 0.3    # Text matching is secondary
    keyword_weight: float = 0.2  # Keyword is least precise
    min_strategies_for_high: int = 2

def calculate_weighted_score(strategy_scores: dict) -> float:
    """
    Score = (Vector * 0.5) + (Text * 0.3) + (Keyword * 0.2)
    Normalizes if some strategies are missing.
    """
    weights = {
        "vector": self.weighted_config.vector_weight,
        "text": self.weighted_config.text_weight,
        "keyword": self.weighted_config.keyword_weight,
    }

    total_weight = 0.0
    weighted_sum = 0.0

    for strategy, score in strategy_scores.items():
        if strategy in weights:
            weight = weights[strategy]
            weighted_sum += score * weight
            total_weight += weight

    # Normalize if not all strategies were used
    if total_weight > 0:
        return weighted_sum / total_weight
    return 0.0

This means if only vector and text detect a match, we normalize: (0.90 * 0.5 + 0.80 * 0.3) / (0.5 + 0.3) = 0.875.

Multi-Strategy Agreement​

A single strategy match should never produce high confidence - too much risk of false positives:

def determine_confidence_level(result, min_strategies_for_high=2):
    """
    High confidence requires multiple strategies to agree.
    Single-strategy matches can only be medium or low.
    """
    strategies_matched = result.get("strategies_matched", 0)
    weighted_score = self.calculate_weighted_score(result.get("scores", {}))

    # Multi-strategy agreement required for high confidence
    if strategies_matched >= min_strategies_for_high and weighted_score >= 0.80:
        return "high"
    elif strategies_matched >= 1 and weighted_score >= 0.65:
        return "medium"
    else:
        return "low"

This simple change dramatically reduces false positives. Even a 0.95 vector similarity can't produce "high" confidence alone.

Entity-Specific Thresholds​

Different entity types need different sensitivity:

ENTITY_THRESHOLDS = {
    "incidents": EntityThresholds(
        high_confidence=0.95,    # Strict - don't suppress real alarms
        medium_confidence=0.85,
        low_confidence=0.75,
    ),
    "runbooks": EntityThresholds(
        high_confidence=0.80,    # Loose - find helpful content
        medium_confidence=0.70,
        low_confidence=0.60,
    ),
    "requirements": EntityThresholds(
        high_confidence=0.85,    # Default - balanced
        medium_confidence=0.75,
        low_confidence=0.65,
    ),
}

For incidents, we want almost-exact matches only (0.95). False negatives are better than suppressing real alarms. For runbooks, we're more permissive (0.80) because finding helpful related content is the goal.

Cascading Execution​

We also optimized for performance by running cheap strategies first:

def get_strategy_execution_order() -> list[str]:
    return ["keyword", "text", "vector"]  # Cheapest first

Keyword matching is just string comparison - nearly free. Vector requires embedding generation or lookup - expensive. By running keyword first, we can potentially skip the expensive vector check if keyword already disqualifies the match.

Implementation​

The updated _merge_results now tracks per-strategy scores:

def _merge_results(main_results, new_results, method):
    """Merge with weighted scoring instead of simple extend."""

    # Initialize tracking dict
    if "_item_scores" not in main_results:
        main_results["_item_scores"] = {}

    for level in ["high_confidence", "medium_confidence", "low_confidence"]:
        for item in new_results.get(level, []):
            item_id = item["id"]

            # Track per-strategy scores for this item
            if item_id not in main_results["_item_scores"]:
                main_results["_item_scores"][item_id] = {
                    "item_data": item,
                    "strategy_scores": {},
                    "strategies_matched": 0,
                }

            # Add score for this strategy
            score = extract_score_by_method(item, method)
            main_results["_item_scores"][item_id]["strategy_scores"][method] = score
            main_results["_item_scores"][item_id]["strategies_matched"] += 1

    # Recategorize based on weighted scoring
    self._recategorize_with_weighted_scoring(main_results)

The key insight: we don't decide the confidence level when processing each strategy. We wait until all strategies have contributed their scores, then calculate the weighted result.

Results​

The weighted scoring approach provides:

Each result now includes full strategy breakdown:

{
  "id": "REQ-001",
  "weighted_score": 0.875,
  "confidence_level": "high",
  "strategies_matched": 2,
  "strategy_scores": {
    "vector": 0.90,
    "text": 0.85
  }
}

This makes debugging straightforward: you can see exactly which strategies contributed and with what scores.

Lessons Learned​

1. Simple OR logic loses precision - When merging results from multiple strategies, preserve the individual contributions.

2. Agreement is a signal - Two strategies detecting the same match is much stronger evidence than one strategy with a high score.

3. Different entities need different thresholds - What's "similar enough" for runbooks is too loose for incidents.

4. Preserve debugging info - The per-strategy scores are invaluable for tuning thresholds and investigating false positives.

5. Order matters for performance - Run cheap strategies first to enable early termination.

This post details the implementation of ADR-038: Duplicate Detection weighted scoring improvements.

Published: 2025-01-16

When the LLM Council reviewed our entity relationships implementation (ADR-026), they flagged a critical flaw: our 4-column primary key blocked multiple relationship types between the same entities, and duplicate relationships could silently corrupt traceability data.

This post details how Issue #458 fixed both data integrity gaps with a proper 5-column primary key.

The Problem​

Our EntityRelationship table connects any two entities with typed relationships:

-- Original schema (simplified)
CREATE TABLE entity_relationships (
    source_type VARCHAR(50),
    source_id VARCHAR(255),
    target_type VARCHAR(50),
    target_id VARCHAR(255),
    relationship_type VARCHAR(50),
    PRIMARY KEY (source_type, source_id, target_type, target_id)
    -- Notice: relationship_type NOT in primary key!
);

The 4-column primary key created two problems:

Problem 1: Blocked Multiple Relationship Types​

-- Insert #1: REQ-001 depends on REQ-002
INSERT INTO entity_relationships
VALUES ('requirement', 'REQ-001', 'requirement', 'REQ-002', 'depends_on');
-- SUCCESS!

-- Insert #2: REQ-001 also references REQ-002
INSERT INTO entity_relationships
VALUES ('requirement', 'REQ-001', 'requirement', 'REQ-002', 'references');
-- FAILS! PK violation (same 4-column key)

This was fundamentally broken—entities couldn't have multiple relationship types!

Problem 2: Potential Duplicate Relationships​

Without proper constraints, race conditions or UI bugs could create duplicate relationships.

Consequences​

1. Feature Blockage: Can't express "depends_on AND references" relationships
2. Graph Pollution: (if duplicates existed) Wrong edge counts
3. IEEE 29148-2018 Non-Compliance: Traceability requires rich relationships

The Solution​

Change the primary key to 5 columns, including relationship_type:

# backend/models/generic_relationships.py
class EntityRelationship(Base):
    __tablename__ = "entity_relationships"

    # 5-column composite primary key
    source_type = Column(String(50), primary_key=True)
    source_id = Column(String(255), primary_key=True)
    target_type = Column(String(50), primary_key=True)
    target_id = Column(String(255), primary_key=True)
    relationship_type = Column(String(50), primary_key=True)  # Now in PK!

Key Insight: Multiple Relationship Types Are Now Valid​

With the 5-column PK:

• REQ-001 → REQ-002 with depends_on ✓
• REQ-001 → REQ-002 with references ✓ (different relationship type = different row)
• REQ-001 → REQ-002 with depends_on again ✗ (exact duplicate blocked by PK)

Migration Strategy​

The migration handles the schema change safely:

def upgrade():
    # Step 1: Remove any duplicates (keep newest by updated_at)
    conn.execute(text("""
        DELETE FROM entity_relationships
        WHERE ctid NOT IN (
            SELECT DISTINCT ON (source_type, source_id, target_type, target_id, relationship_type)
                   ctid
            FROM entity_relationships
            ORDER BY source_type, source_id, target_type, target_id, relationship_type,
                     updated_at DESC NULLS LAST
        )
    """))

    # Step 2: Drop 4-column primary key
    op.drop_constraint("entity_relationships_pkey", "entity_relationships", type_="primary")

    # Step 3: Create 5-column primary key
    op.create_primary_key(
        "entity_relationships_pkey",
        "entity_relationships",
        ["source_type", "source_id", "target_type", "target_id", "relationship_type"],
    )

Testing​

Our TDD tests verify the constraint at the database level:

def test_duplicate_relationship_rejected_at_database_level(self, postgres_db):
    """Exact duplicate 5-tuple MUST raise IntegrityError."""
    rel1 = EntityRelationship(
        source_type="requirement", source_id="REQ-DUP-001",
        target_type="capability", target_id="CAP-DUP-001",
        relationship_type="depends_on",
    )
    postgres_db.add(rel1)
    postgres_db.flush()

    # Attempt exact duplicate
    rel2_duplicate = EntityRelationship(
        source_type="requirement", source_id="REQ-DUP-001",
        target_type="capability", target_id="CAP-DUP-001",
        relationship_type="depends_on",  # Same!
    )
    postgres_db.add(rel2_duplicate)

    with pytest.raises(IntegrityError):
        postgres_db.flush()  # MUST fail

Impact​

Lessons Learned​

1. Composite Primary Keys Need Review: Adding a column to a table doesn't mean it's part of the uniqueness guarantee
2. Semantic Differences Matter: "depends_on" and "references" are different relationships—the fix preserves this distinction
3. Database Constraints > Application Validation: Race conditions can bypass application checks; database constraints are authoritative
4. Migration Must Handle Existing Data: Don't just add constraints—clean up legacy data first

Issue #458 | ADR-026 | LLM Council Blocking Issue Resolved

Published: 2025-01-16

When the LLM Council reviewed our MCP client proxy (ADR-040), they identified a critical gap: our nginx configuration was buffering SSE responses, causing tool execution to hang. Additionally, our standard API rate limits (60 req/min) were breaking MCP negotiation, which is inherently chatty.

This post details how Issue #460 fixed these SSE streaming issues.

The Problem​

Problem 1: nginx Buffering Blocks SSE​

Default nginx proxy configuration buffers responses:

# Default behavior (problematic for SSE)
location /api/ {
    proxy_pass http://backend;
    # proxy_buffering is ON by default!
}

When SSE events are buffered, they arrive in bursts instead of real-time. For MCP:

• Tool execution appears to hang for seconds
• Timeouts during long-running operations
• Poor user experience in Claude Desktop

Problem 2: Rate Limits Break MCP Negotiation​

MCP protocol is chatty during initialization:

• Capabilities exchange
• Tool listing
• Prompt listing
• Resource queries

Our standard 60 req/min limit triggered during normal MCP negotiation, causing connection failures.

The Solution​

1. nginx SSE Location Block​

Added dedicated location block for MCP SSE endpoints:

# MCP SSE endpoint - MUST be before generic /api/
location ~ ^/api/v1/mcp/(sse|message) {
    proxy_pass ${API_PROXY_URL};
    proxy_http_version 1.1;

    # Disable buffering for SSE (critical for real-time events)
    proxy_buffering off;
    proxy_cache off;
    proxy_set_header X-Accel-Buffering "no";

    # Extended timeouts for long-running SSE (4 hours)
    proxy_read_timeout 14400s;
    proxy_send_timeout 14400s;

    # Connection headers for SSE
    proxy_set_header Connection '';
    chunked_transfer_encoding on;
}

Key configurations:

• proxy_buffering off: Events stream immediately
• X-Accel-Buffering: no: Header for upstream servers
• 14400s timeouts: 4-hour sessions for long operations
• Connection '': Prevent connection header interference

2. Split Rate Limiting​

Created separate rate limiters for SSE and messages:

# SSE: Connection-based limit (5 concurrent per user)
class MCPSSERateLimiter:
    def __init__(self, max_connections: int = 5):
        self.max_connections = max_connections

    async def acquire(self, user_id: str, connection_id: str) -> bool:
        """Acquire a connection slot."""
        # Uses Redis SET for atomic connection counting

# Messages: Token bucket (200 req/min, 50 burst)
class MCPMessageRateLimiter:
    def __init__(self, rate_limit: int = 200, burst_limit: int = 50):
        self.rate_limit = rate_limit
        self.burst_limit = burst_limit

    async def check(self, user_id: str) -> bool:
        """Check if message is allowed."""
        # Uses Redis token bucket algorithm

Why split limits?

3. Extended Session TTL​

MCP sessions now have 4-hour TTL to match nginx timeouts:

# backend/api/v1/mcp_sse.py
MCP_SESSION_TTL_SECONDS = 14400  # 4 hours
SSE_READ_TIMEOUT_SECONDS = 14400  # Matches nginx config

Implementation Details​

Rate Limiter Storage​

Uses Redis DB 4 (separate from API rate limiting DB 3):

MCP_RATE_LIMIT_DB = 4

# SSE: Uses Redis SET for connection tracking
key = f"mcp_sse:{user_id}:connections"
# SET contains active connection_ids

# Messages: Uses Redis HASH for token bucket
key = f"mcp_msg:{user_id}"
# HASH contains {tokens: N, last_refill: timestamp}

Rate Limiter Release​

Crucial: Release SSE slot when connection closes:

async def remove_connection(self, connection_id: str):
    # ... disconnect logic ...

    # Release the SSE rate limit slot
    user_key = connection.user_info.email
    await sse_limiter.release(user_key, connection_id)

Without this, users would exhaust their connection limit and be unable to reconnect.

Impact​

Lessons Learned​

1. SSE needs special handling: Standard proxy configs don't work for SSE
2. Different endpoints, different limits: API rate limits don't fit all protocols
3. Match timeouts end-to-end: nginx, backend, and client must agree
4. Resource cleanup matters: Release rate limit slots on disconnect

Issue #460 | ADR-040 | LLM Council Blocking Issue Resolved

Published: 2025-01-16

When the LLM Council reviewed our DataGrid Pro implementation (ADR-035), they identified critical stability issues: missing getRowId props causing row identity recreation, unstable query keys triggering unnecessary refetches, and unthrottled filter/sort handlers causing cascade updates.

This post details how Issue #462 fixed these DataGrid stability issues.

The Problem​

Problem 1: Missing getRowId Causes Row Identity Recreation​

Without an explicit getRowId prop, DataGrid Pro uses array index as the row identifier:

// Before: Row identity based on array index
<DataGridPremium
  rows={data}
  columns={columns}
/>

When the data array is recreated (even with the same values), DataGrid treats all rows as new, causing:

• Loss of selection state
• Scroll position reset
• Unnecessary DOM reconciliation
• Potential infinite loops with controlled components

Problem 2: Unstable Query Keys​

React Query triggers refetches when query key references change:

// Problematic: New object reference every render
const queryKey = ['entities', entityType, { page, filters }];

Combined with DataGrid's server-side pagination callbacks, this creates a feedback loop:

1. DataGrid triggers onPageChange
2. New query key object created
3. React Query refetches
4. New data causes DataGrid to re-render
5. Goto step 1

Problem 3: Unthrottled Filter/Sort Handlers​

DataGrid fires onFilterModelChange and onSortModelChange rapidly during user interaction:

// Before: Every keystroke triggers API call
const handleFilterChange = (model) => {
  setFilters(model);  // Immediate state update
  refetch();          // Immediate API call
};

This causes:

• Excessive API calls during typing
• UI lag from rapid state updates
• Server load from redundant requests

The Solution​

1. Explicit getRowId Prop​

Added getRowId to all DataGrid instances:

<DataGridPremium
  // ADR-035: Explicit getRowId prevents row identity recreation
  getRowId={(row) => row.id}
  rows={safeData}
  columns={columns}
/>

Why this works: The entity's actual ID (UUID or database ID) is used as the row key instead of array position. Row identity is stable across data updates.

2. Stable Query Key Hook​

Created useStableQueryKey for deep comparison of query keys:

// frontend/src/hooks/useStableQueryKey.ts
export function useStableQueryKey<T>(queryKey: T): T {
  const keyRef = useRef<T>(queryKey);

  return useMemo(() => {
    // Only update reference if values actually changed
    if (!isEqual(keyRef.current, queryKey)) {
      keyRef.current = queryKey;
    }
    return keyRef.current;
  }, [queryKey]);
}

Usage:

const queryKey = useStableQueryKey(['entities', entityType, filters]);
// queryKey reference only changes when values actually differ

3. Throttled Handlers​

Created useThrottle hook for rate-limited callbacks:

// frontend/src/hooks/useThrottle.ts
export function useThrottle<T extends (...args: any[]) => void>(
  callback: T,
  delay: number,
  options: { leading?: boolean; trailing?: boolean } = {}
): T {
  // Throttle implementation with leading/trailing edge support
}

Applied to DataGrid:

const handleFilterChangeInternal = useCallback((model) => {
  setFilters(model);
  onFilterChange?.(model);
}, [onFilterChange]);

// ADR-035: Throttle to 300ms prevents cascade updates
const handleFilterChange = useThrottle(handleFilterChangeInternal, 300, {
  leading: true,
  trailing: true
});

<DataGridPremium
  onFilterModelChange={handleFilterChange}
/>

4. URL State Synchronization​

Created useGridUrlState for shareable grid configurations:

// frontend/src/hooks/useGridUrlState.ts
export function useGridUrlState(defaults) {
  const [searchParams, setSearchParams] = useSearchParams();

  // Parse pagination, sort, search from URL
  const state = useMemo(() => ({
    pagination: { page, pageSize },
    sort: [{ field, sort }],
    search
  }), [searchParams]);

  // Update URL without navigation
  const setPagination = (model) => {
    setSearchParams((prev) => {
      prev.set('page', model.page);
      return prev;
    }, { replace: true });
  };

  return { state, setPagination, setSort, setSearch, getApiParams };
}

Benefits:

• Grid state preserved across page refreshes
• Shareable URLs with filters/pagination
• Browser back/forward navigation support

Implementation​

Files Created​

• frontend/src/hooks/useStableQueryKey.ts
• frontend/src/hooks/useThrottle.ts
• frontend/src/hooks/useGridUrlState.ts
• frontend/e2e/datagrid-stability.spec.ts
• frontend/src/hooks/__tests__/useStableQueryKey.test.ts
• frontend/src/hooks/__tests__/useThrottle.test.ts

Files Modified​

• frontend/src/components/tables/MUIEntityTable.tsx

  • Added getRowId={(row) => row.id}
  • Added throttled filter/sort handlers
  • Imported and applied useThrottle

• frontend/src/components/DataGridWrapper.tsx

  • Added getRowId={(row) => row.id}
  • Added memoized rows with useMemo
  • Added throttled handlers

Impact​

Key Takeaways​

1. Always specify getRowId: DataGrid needs stable row identity for controlled components
2. Stabilize query keys: Use deep comparison to prevent unnecessary refetches
3. Throttle user interactions: Rate-limit handlers that trigger API calls
4. URL state enables sharing: Sync grid state to URL for better UX

Issue #462 | ADR-035 | LLM Council Blocking Issue Resolved

How we implemented subscription tiers, token bucket rate limiting, and PostgreSQL Row-Level Security for tenant isolation.

The Multi-Tenancy Challenge​

A SaaS trading platform needs:

1. Data isolation - Users must never see each other's data
2. Feature gating - Tiers unlock different capabilities
3. Rate limiting - Prevent resource exhaustion
4. Fair usage - Higher tiers get more resources

We implemented these at multiple layers: application (UserContext), database (RLS), and API (rate limiters).

Subscription Tiers​

Three tiers with distinct capabilities:

Tiers are defined in code with their limits:

pub enum Tier {
    Free,
    Pro,
    Enterprise,
}

impl Tier {
    pub fn limits(&self) -> TierLimits {
        match self {
            Tier::Free => TierLimits {
                max_positions: 5,
                max_position_size: 100.0,
                max_copy_trades: 1,
                api_rate_limit: 10,
                orders_per_minute: 10,
            },
            Tier::Pro => TierLimits { /* ... */ },
            Tier::Enterprise => TierLimits { /* ... */ },
        }
    }
}

User Context​

The UserContext struct carries user state through request handling:

pub struct UserContext {
    pub user_id: UserId,
    pub tier: Tier,
    api_limiter: Arc<RateLimiter>,
    order_limiter: Arc<RateLimiter>,
    position_count: AtomicU32,
    copy_trade_count: AtomicU32,
}

Each request validates against the context:

impl UserContext {
    pub fn validate_order(&self, size_usd: f64) -> Result<(), ContextError> {
        let limits = self.limits();

        // Check position count
        if self.position_count() >= limits.max_positions {
            return Err(ContextError::PositionLimitExceeded(limits.max_positions));
        }

        // Check order size
        if size_usd > limits.max_position_size {
            return Err(ContextError::OrderSizeExceeded(limits.max_position_size));
        }

        Ok(())
    }
}

Token Bucket Rate Limiting​

We use the token bucket algorithm for rate limiting:

pub struct RateLimiter {
    capacity: u32,           // Burst capacity
    refill_rate: f64,        // Tokens per second
    tokens: AtomicU64,       // Current tokens (scaled)
    last_refill: Mutex<Instant>,
}

The algorithm:

1. Bucket starts full (capacity = burst limit)
2. Each request consumes one token
3. Tokens refill at a steady rate
4. If bucket empty, request is rejected

pub async fn try_acquire(&self) -> Result<(), RateLimitError> {
    self.refill().await;

    loop {
        let current = self.tokens.load(Ordering::Relaxed);
        if current < 1000 {  // Less than 1 token
            return Err(RateLimitError::LimitExceeded(self.capacity, Duration::from_secs(1)));
        }

        let new_value = current - 1000;
        if self.tokens.compare_exchange(current, new_value, Ordering::Relaxed, Ordering::Relaxed).is_ok() {
            return Ok(());
        }
    }
}

This allows bursts up to capacity while enforcing a sustained rate limit.

PostgreSQL Row-Level Security​

Database isolation uses RLS policies:

-- Enable RLS on tables
ALTER TABLE positions ENABLE ROW LEVEL SECURITY;
ALTER TABLE orders ENABLE ROW LEVEL SECURITY;
ALTER TABLE credentials ENABLE ROW LEVEL SECURITY;

-- Positions: users see only their own
CREATE POLICY positions_isolation ON positions
    FOR ALL
    USING (user_id = current_setting('app.current_user_id')::uuid);

-- Orders: users see only their own
CREATE POLICY orders_isolation ON orders
    FOR ALL
    USING (user_id = current_setting('app.current_user_id')::uuid);

-- Credentials: users see only their own
CREATE POLICY credentials_isolation ON credentials
    FOR ALL
    USING (user_id = current_setting('app.current_user_id')::uuid);

Before each request, we set the session variable:

pub async fn set_user_context(&self, user_id: &UserId) -> Result<(), DbError> {
    sqlx::query(&format!(
        "SET LOCAL app.current_user_id = '{}'",
        user_id
    ))
    .execute(&self.pool)
    .await?;

    Ok(())
}

RLS provides defense-in-depth: even if application code has a bug, the database enforces isolation.

Testing Strategy​

57 tests verify multi-tenancy:

Key tests include:

#[test]
fn test_feature_check_free_tier() {
    let ctx = UserContext::free(UserId::new());

    assert!(ctx.check_feature(Feature::BasicTrading).is_ok());
    assert!(ctx.check_feature(Feature::Arbitrage).is_err());
}

#[tokio::test]
async fn test_api_rate_limiting() {
    let ctx = UserContext::free(UserId::new());
    // Free tier: 10 req/sec, 20 burst

    for _ in 0..20 {
        assert!(ctx.check_api_rate().await.is_ok());
    }
    assert!(ctx.check_api_rate().await.is_err());
}

Architecture Diagram​

┌──────────────────────────────────────────────────────────────┐
│                      API Request                              │
└──────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌──────────────────────────────────────────────────────────────┐
│  1. JWT Validation → Extract user_id and tier                │
└──────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌──────────────────────────────────────────────────────────────┐
│  2. Load UserContext → Initialize rate limiters               │
└──────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌──────────────────────────────────────────────────────────────┐
│  3. Check Rate Limits → Token bucket algorithm               │
└──────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌──────────────────────────────────────────────────────────────┐
│  4. Check Feature Access → Tier allows this operation?       │
└──────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌──────────────────────────────────────────────────────────────┐
│  5. Validate Limits → Position count, order size             │
└──────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌──────────────────────────────────────────────────────────────┐
│  6. Set RLS Context → SET LOCAL app.current_user_id          │
└──────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌──────────────────────────────────────────────────────────────┐
│  7. Execute Query → RLS enforces row-level isolation         │
└──────────────────────────────────────────────────────────────┘

Lessons Learned​

1. Layer defenses - Application + database isolation
2. Token bucket is versatile - Handles burst and sustained limits
3. RLS is powerful - But requires careful policy design
4. Test isolation explicitly - Don't assume it works

Multi-tenancy touches every layer of the application. Getting it right early prevents painful refactoring later.