Deploy backend from GitHub c7b5c288e89c3d1884e6d556b62378976a19fef4

Dockerfile

@@ -2,8 +2,6 @@
 # HF Spaces requires the app to listen on port 7860.
 #
 # Required Secrets (set in Space Settings -> Repository secrets):
-#   FIREBASE_PROJECT_ID        – Firebase project ID
-#   FIREBASE_CREDENTIALS_JSON  – Full service account JSON as a single-line string
 #   REDIS_URL                  – Upstash Redis URL (rediss://...)
 #   HF_API_KEY                 – Hugging Face API token
 #   GROQ_API_KEY               – Groq API key

README.md

@@ -14,8 +14,6 @@ FastAPI backend for the Sentinel LLM Misuse Detection System.
 Exposes a REST API on port 7860.
 
 ## Secrets required (Space Settings → Repository secrets)
-- `FIREBASE_PROJECT_ID`
-- `FIREBASE_CREDENTIALS_JSON`
 - `REDIS_URL`
 - `HF_API_KEY`
 - `GROQ_API_KEY`

backend/app/api/auth_routes.py

@@ -1,40 +0,0 @@
-"""
-Authentication routes for user registration and login.
-"""
-from fastapi import APIRouter, Depends, HTTPException, status
-from sqlalchemy.ext.asyncio import AsyncSession
-from sqlalchemy import select
-
-from backend.app.api.models import AuthRequest, TokenResponse
-from backend.app.core.auth import hash_password, verify_password, create_access_token
-from backend.app.db.session import get_session
-from backend.app.models.schemas import User
-
-router = APIRouter(prefix="/api/auth", tags=["authentication"])
-
-
-@router.post("/register", response_model=TokenResponse, status_code=201)
-async def register(req: AuthRequest, session: AsyncSession = Depends(get_session)):
-    """Register a new user."""
-    stmt = select(User).where(User.email == req.email)
-    existing = await session.execute(stmt)
-    if existing.scalar_one_or_none():
-        raise HTTPException(status_code=409, detail="Email already registered")
-
-    user = User(email=req.email, hashed_password=hash_password(req.password))
-    session.add(user)
-    await session.commit()
-    token = create_access_token(subject=user.id)
-    return TokenResponse(access_token=token)
-
-
-@router.post("/login", response_model=TokenResponse)
-async def login(req: AuthRequest, session: AsyncSession = Depends(get_session)):
-    """Login with email and password."""
-    stmt = select(User).where(User.email == req.email)
-    result = await session.execute(stmt)
-    user = result.scalar_one_or_none()
-    if not user or not verify_password(req.password, user.hashed_password):
-        raise HTTPException(status_code=401, detail="Invalid credentials")
-    token = create_access_token(subject=user.id)
-    return TokenResponse(access_token=token)

backend/app/api/models.py

@@ -1,6 +1,6 @@
 """
 Pydantic request/response models for the API.
-Auth is handled entirely by Firebase on the frontend — no auth models here.
+Authentication is not part of the public API.
 """
 from pydantic import BaseModel, Field
 from typing import List, Optional

backend/app/api/routes.py

@@ -1,7 +1,7 @@
 """
 Main API routes for the LLM Misuse Detection system.
 Endpoints: /api/analyze, /api/analyze/bulk, /api/results/{id}
-Persistence: Firestore via REST helpers.
+Persistence: in-process result storage helpers.
 """
 import hashlib
 import json
@@ -117,7 +117,7 @@ async def _analyze_text(text: str, user_id: str | None = None) -> dict:
         saved = await save_document(COLLECTION, doc.id, doc.to_dict())
         result["id"] = doc.id if saved else text_hash
     except Exception:
-        # Silently skip Firestore - it's optional
+        # Silently skip persistence - it's optional
         result["id"] = text_hash
 
     return result
@@ -168,7 +168,7 @@ async def bulk_analyze(request: BulkAnalyzeRequest):
 
 @router.get("/results/{result_id}", response_model=AnalyzeResponse)
 async def get_result(result_id: str):
-    """Fetch a previously computed analysis result by Firestore document ID."""
+    """Fetch a previously computed analysis result by stored result ID."""
     data = await get_document(COLLECTION, result_id)
     if not data:
         raise HTTPException(status_code=404, detail="Result not found")

backend/app/core/auth.py

@@ -1,43 +0,0 @@
-"""
-Firebase Authentication utilities.
-Verifies Firebase ID tokens issued by the frontend (Firebase Auth SDK).
-
-Requires firebase-admin to be initialised first (done in main.py lifespan
-via backend.app.db.firestore.init_firebase).
-
-Env vars: FIREBASE_CREDENTIALS_JSON, FIREBASE_PROJECT_ID
-"""
-from fastapi import Depends, HTTPException, status
-from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
-from firebase_admin import auth as firebase_auth
-
-security_scheme = HTTPBearer()
-
-
-async def get_current_user(
-    credentials: HTTPAuthorizationCredentials = Depends(security_scheme),
-) -> str:
-    """
-    Dependency: extracts and verifies the Firebase ID token from the
-    Authorization: Bearer <id_token> header.
-    Returns the Firebase UID of the authenticated user.
-    """
-    id_token = credentials.credentials
-    try:
-        decoded = firebase_auth.verify_id_token(id_token)
-    except firebase_auth.ExpiredIdTokenError:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Firebase ID token has expired. Please re-authenticate.",
-        )
-    except firebase_auth.InvalidIdTokenError:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Invalid Firebase ID token.",
-        )
-    except Exception as e:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail=f"Token verification failed: {str(e)}",
-        )
-    return decoded["uid"]

backend/app/core/config.py

@@ -14,12 +14,6 @@ class Settings(BaseSettings):
     APP_NAME: str = "Zynera"
     DEBUG: bool = False
 
-    # Firebase
-    FIREBASE_PROJECT_ID: str = ""
-    FIREBASE_CREDENTIALS_JSON: Optional[str] = None
-    # Set to False to skip Firestore init at startup (useful when credentials are absent)
-    FIRESTORE_AUTO_INIT: bool = True
-
     # Redis
     REDIS_URL: str = "redis://localhost:6379/0"
 
@@ -28,10 +22,10 @@ class Settings(BaseSettings):
 
     # HuggingFace
     HF_API_KEY: str = ""
-    HF_DETECTOR_PRIMARY: str = f"{_HF_ROUTER}/Hello-SimpleAI/chatgpt-detector-roberta"
-    HF_DETECTOR_FALLBACK: str = ""
-    HF_EMBEDDINGS_PRIMARY: str = ""
-    HF_EMBEDDINGS_FALLBACK: str = ""
+    HF_DETECTOR_PRIMARY: str = f"{_HF_ROUTER}/desklib/ai-text-detector-v1.01"
+    HF_DETECTOR_FALLBACK: str = f"{_HF_ROUTER}/fakespot-ai/roberta-base-ai-text-detection-v1"
+    HF_EMBEDDINGS_PRIMARY: str = f"{_HF_ROUTER}/sentence-transformers/all-mpnet-base-v2"
+    HF_EMBEDDINGS_FALLBACK: str = f"{_HF_ROUTER}/sentence-transformers/all-MiniLM-L6-v2"
     HF_HARM_CLASSIFIER: str = f"{_HF_ROUTER}/facebook/roberta-hate-speech-dynabench-r4-target"
 
     # Groq
@@ -58,6 +52,7 @@ class Settings(BaseSettings):
 
     PERPLEXITY_THRESHOLD: float = 0.3
     RATE_LIMIT_PER_MINUTE: int = 30
+    RESULT_STORE_LIMIT: int = 512
 
     @property
     def cors_origins_list(self) -> List[str]:

backend/app/db/firestore.py

@@ -1,117 +1,53 @@
 """
-Firestore client using the official firebase-admin SDK.
+Lightweight in-process storage helpers for analysis results.
 
-Why firebase-admin (not REST):
-  The REST approach required google.auth to sign JWTs directly, which
-  failed with 'invalid_grant: Invalid JWT Signature' when the private_key
-  in FIREBASE_CREDENTIALS_JSON had double-escaped newlines (\\n) from
-  HF Spaces env-var storage. The firebase-admin SDK handles credential
-  refresh internally without surface-level JWT errors, and the
-  _fix_private_key helper below corrects the newline escaping before the
-  SDK ever touches the key.
-
-Env vars required:
-  FIREBASE_CREDENTIALS_JSON  – service account JSON string
-  FIREBASE_PROJECT_ID        – e.g. "fir-config-d3c36"
+Firebase/Firestore auth has been removed from the runtime because the app no
+longer uses login/signup, and startup must not depend on external credentials.
+The public helper API is preserved so the analysis routes can keep storing and
+retrieving recent results without any deployment-time setup.
 """
 from __future__ import annotations
 
-import json
-import threading
+from collections import OrderedDict
 from typing import Any
 
-import firebase_admin
-from firebase_admin import credentials, firestore as fb_firestore
-import google.auth.exceptions
-
 from backend.app.core.config import settings
 from backend.app.core.logging import get_logger
 
 logger = get_logger(__name__)
 
-_db: Any = None
-_enabled: bool = False
-
-
-def _fix_private_key(d: dict) -> dict:
-    """Unescape double-escaped newlines in private_key (common in HF Spaces env-var pastes)."""
-    if "private_key" in d:
-        d["private_key"] = d["private_key"].replace("\\\\n", "\\n").replace("\\n", "\n")
-    return d
-
-
-def _init_firebase_with_timeout():
-    """Internal function to initialize Firebase with a timeout."""
-    global _db, _enabled
-    
-    try:
-        cred_dict = json.loads(settings.FIREBASE_CREDENTIALS_JSON)
-        cred_dict = _fix_private_key(cred_dict)
-
-        # Avoid re-initialising if already done (e.g. hot reload in dev)
-        if not firebase_admin._apps:
-            cred = credentials.Certificate(cred_dict)
-            firebase_admin.initialize_app(cred)
-
-        _db = fb_firestore.client()
-        _enabled = True
-        project = settings.FIREBASE_PROJECT_ID or cred_dict.get("project_id", "")
-        logger.info("Firebase + Firestore initialised", project=project)
-    except Exception:
-        _db = None
-        _enabled = False
+_db: "OrderedDict[str, dict[str, Any]]" = OrderedDict()
+_enabled: bool = True
 
 
 def init_firebase() -> None:
-    """Initialise firebase-admin app and Firestore client. Non-fatal if misconfigured.
-    
-    Uses threading with a 5-second timeout to prevent hanging.
-    """
-    global _db, _enabled
+    """Legacy no-op kept for compatibility with existing imports/tests."""
+    logger.info("Using in-memory analysis result storage")
 
-    if not settings.FIREBASE_CREDENTIALS_JSON:
-        # Silently disable if not configured
-        _enabled = False
-        return
-
-    # Use threading for timeout instead of signal (more portable)
-    init_thread = threading.Thread(target=_init_firebase_with_timeout, daemon=True)
-    init_thread.start()
-    init_thread.join(timeout=5.0)  # Wait max 5 seconds
-    
-    if init_thread.is_alive():
-        # Timeout reached - thread still running
-        _db = None
-        _enabled = False
-        logger.info("Firebase init timed out - disabled (non-critical)")
-
-
-# ---- Public helpers --------------------------------------------------------
 
 async def save_document(collection: str, doc_id: str, data: dict) -> bool:
-    """Create or overwrite a Firestore document. Returns True on success."""
-    if not _enabled or _db is None:
-        return False
-    try:
-        _db.collection(collection).document(doc_id).set(data)
-        return True
-    except (google.auth.exceptions.RefreshError, Exception):
-        # Silently fail - no logs, just return False
+    """Store a recent analysis result in memory."""
+    if not _enabled:
         return False
 
+    key = f"{collection}:{doc_id}"
+    _db[key] = dict(data)
+    _db.move_to_end(key)
+    if len(_db) > settings.RESULT_STORE_LIMIT:
+        _db.popitem(last=False)
+    return True
+
 
 async def get_document(collection: str, doc_id: str) -> dict | None:
-    """Fetch a single Firestore document. Returns None if not found or disabled."""
-    if not _enabled or _db is None:
-        return None
-    try:
-        doc = _db.collection(collection).document(doc_id).get()
-        return doc.to_dict() if doc.exists else None
-    except (google.auth.exceptions.RefreshError, Exception):
-        # Silently fail - no logs, just return None
+    """Fetch a previously stored analysis result from memory."""
+    if not _enabled:
         return None
 
+    key = f"{collection}:{doc_id}"
+    data = _db.get(key)
+    return dict(data) if data is not None else None
+
 
 def get_db():
-    """Legacy shim. Returns the Firestore client or None if disabled."""
+    """Legacy shim. Returns the current in-memory store."""
     return _db if _enabled else None

backend/app/main.py

@@ -2,9 +2,6 @@
 FastAPI main application entry point.
 Configures CORS, secure headers, routes, and observability.
 
-Auth: Firebase Auth (frontend issues ID tokens; backend verifies via firebase-admin)
-DB:   Firestore (via firebase-admin SDK)
-
 Env vars: All from core/config.py
 Run: uvicorn backend.app.main:app --host 0.0.0.0 --port 7860
 """
@@ -19,7 +16,6 @@ from backend.app.core.config import settings
 from backend.app.core.logging import setup_logging, get_logger
 from backend.app.api.routes import router as analysis_router
 from backend.app.api.models import HealthResponse
-from backend.app.db.firestore import init_firebase
 
 # Sentry (optional)
 if settings.SENTRY_DSN:
@@ -38,10 +34,6 @@ REQUEST_LATENCY = Histogram("http_request_duration_seconds", "Request latency",
 @asynccontextmanager
 async def lifespan(app: FastAPI):
     logger.info("Starting Zynera API")
-    if settings.FIRESTORE_AUTO_INIT:
-        init_firebase()
-    else:
-        logger.info("Firestore auto-init disabled (FIRESTORE_AUTO_INIT=false) – skipping")
     yield
     logger.info("Shutting down")
 

backend/requirements.txt

@@ -5,9 +5,6 @@ uvicorn[standard]==0.34.0
 pydantic==2.10.4
 pydantic-settings==2.7.1
 
-# Firebase (Auth verification + Firestore)
-firebase-admin==6.5.0
-
 # Redis / Queue
 redis==5.2.1
 rq==2.1.0

backend/tests/test_api.py

@@ -1,6 +1,6 @@
 """
 Integration tests for the API endpoints with mocked external services.
-Tests /api/analyze, /health, /metrics — no real Firebase, Firestore, or Redis needed.
+Tests /api/analyze, /health, /metrics — no external auth, persistence, or Redis needed.
 """
 import pytest
 from unittest.mock import AsyncMock, patch, MagicMock
@@ -8,10 +8,8 @@ from fastapi.testclient import TestClient
 
 
 def _make_client():
-    """Build a TestClient with Firebase init and Firestore writes mocked out."""
-    # Patch init_firebase and the _enabled flag so the app starts without real credentials
-    with patch("backend.app.db.firestore.init_firebase"), \
-         patch("backend.app.db.firestore._enabled", True), \
+    """Build a TestClient with persistence and external calls mocked out."""
+    with patch("backend.app.db.firestore._enabled", True), \
          patch("backend.app.db.firestore.save_document", new_callable=AsyncMock, return_value=True), \
          patch("backend.app.db.firestore.get_document", new_callable=AsyncMock, return_value=None):
         from backend.app.main import app
@@ -27,40 +25,26 @@ def client():
     return c
 
 
-class TestStartupWithoutCredentials:
-    """Verify the server starts cleanly when no GCP/Firebase credentials are present."""
+class TestStartup:
+    """Verify the server starts cleanly without auth or external storage."""
 
-    def test_health_returns_200_without_firebase_credentials(self):
-        """App must start and /health must return 200 even without Firebase credentials."""
-        # Use the same safe mock pattern as _make_client() – no real credentials needed
+    def test_health_returns_200_on_startup(self):
+        """App must start and /health must return 200 with default settings."""
         c, _ = _make_client()
         response = c.get("/health")
         assert response.status_code == 200
         data = response.json()
         assert data["status"] == "ok"
 
-    def test_firestore_auto_init_false_skips_init(self):
-        """When FIRESTORE_AUTO_INIT is False, init_firebase must not be invoked at startup."""
-        from backend.app.main import app as _app
-        from backend.app.core import config
-
-        original = config.settings.FIRESTORE_AUTO_INIT
-        try:
-            config.settings.FIRESTORE_AUTO_INIT = False
-            with patch("backend.app.db.firestore.init_firebase") as mock_init:
-                # Simulate a lifespan startup by calling the lifespan coroutine
-                import asyncio
-                from contextlib import asynccontextmanager
-
-                async def run_lifespan():
-                    from backend.app.main import lifespan
-                    async with lifespan(_app):
-                        pass
+    @pytest.mark.asyncio
+    async def test_in_memory_storage_round_trip(self):
+        """Recent analysis results should still be retrievable without Firestore."""
+        from backend.app.db.firestore import save_document, get_document, _db
 
-                asyncio.run(run_lifespan())
-                mock_init.assert_not_called()
-        finally:
-            config.settings.FIRESTORE_AUTO_INIT = original
+        _db.clear()
+        payload = {"id": "abc123", "status": "done", "threat_score": 0.42}
+        assert await save_document("analysis_results", "abc123", payload) is True
+        assert await get_document("analysis_results", "abc123") == payload
 
 
 class TestHealthEndpoint:
@@ -182,42 +166,17 @@ class TestAssistEndpoint:
             config.settings.GROQ_API_KEY = original
 
 
-class TestFirestoreRefreshError:
-    """Verify RefreshError is logged at DEBUG, not WARNING."""
-
-    @pytest.mark.asyncio
-    async def test_save_document_refresh_error_returns_false(self):
-        """RefreshError in save_document should return False without raising."""
-        import google.auth.exceptions
-        from unittest.mock import MagicMock, patch
-
-        mock_db = MagicMock()
-        mock_db.collection.return_value.document.return_value.set.side_effect = (
-            google.auth.exceptions.RefreshError("invalid_grant: Invalid JWT Signature")
-        )
-
-        with patch("backend.app.db.firestore._enabled", True), \
-             patch("backend.app.db.firestore._db", mock_db):
-            from backend.app.db.firestore import save_document
-            result = await save_document("test_col", "test_doc", {"key": "value"})
-            assert result is False
-
-    @pytest.mark.asyncio
-    async def test_get_document_refresh_error_returns_none(self):
-        """RefreshError in get_document should return None without raising."""
-        import google.auth.exceptions
-        from unittest.mock import MagicMock, patch
-
-        mock_db = MagicMock()
-        mock_db.collection.return_value.document.return_value.get.side_effect = (
-            google.auth.exceptions.RefreshError("invalid_grant: Invalid JWT Signature")
-        )
+class TestModelConfiguration:
+    def test_default_models_match_documented_endpoints(self):
+        """Default backend model settings should match the documented README models."""
+        from backend.app.core.config import settings
 
-        with patch("backend.app.db.firestore._enabled", True), \
-             patch("backend.app.db.firestore._db", mock_db):
-            from backend.app.db.firestore import get_document
-            result = await get_document("test_col", "test_doc")
-            assert result is None
+        router_base = "https://router.huggingface.co/hf-inference/models"
+        assert settings.HF_DETECTOR_PRIMARY == f"{router_base}/desklib/ai-text-detector-v1.01"
+        assert settings.HF_DETECTOR_FALLBACK == f"{router_base}/fakespot-ai/roberta-base-ai-text-detection-v1"
+        assert settings.HF_EMBEDDINGS_PRIMARY == f"{router_base}/sentence-transformers/all-mpnet-base-v2"
+        assert settings.HF_EMBEDDINGS_FALLBACK == f"{router_base}/sentence-transformers/all-MiniLM-L6-v2"
+        assert settings.HF_HARM_CLASSIFIER == f"{router_base}/facebook/roberta-hate-speech-dynabench-r4-target"
 
 
 class TestAttackSimulations:

backend/tests/test_auth.py

@@ -1,60 +0,0 @@
-"""
-Unit tests for Firebase token verification (auth.py).
-Mocks firebase_admin.auth so no real Firebase project is needed in CI.
-"""
-import pytest
-from unittest.mock import patch, MagicMock
-from fastapi import HTTPException
-from fastapi.security import HTTPAuthorizationCredentials
-
-
-class TestFirebaseTokenVerification:
-
-    @patch("backend.app.core.auth.firebase_auth")
-    async def test_valid_token_returns_uid(self, mock_fb_auth):
-        """A valid Firebase ID token should return the uid."""
-        from backend.app.core.auth import get_current_user
-
-        mock_fb_auth.verify_id_token.return_value = {"uid": "user-abc-123"}
-        mock_fb_auth.ExpiredIdTokenError = Exception
-        mock_fb_auth.InvalidIdTokenError = Exception
-
-        creds = HTTPAuthorizationCredentials(scheme="Bearer", credentials="fake-valid-token")
-        uid = await get_current_user(credentials=creds)
-        assert uid == "user-abc-123"
-        mock_fb_auth.verify_id_token.assert_called_once_with("fake-valid-token")
-
-    @patch("backend.app.core.auth.firebase_auth")
-    async def test_expired_token_raises_401(self, mock_fb_auth):
-        """An expired Firebase token should raise HTTP 401."""
-        from backend.app.core.auth import get_current_user
-
-        class FakeExpiredError(Exception):
-            pass
-
-        mock_fb_auth.ExpiredIdTokenError = FakeExpiredError
-        mock_fb_auth.InvalidIdTokenError = Exception
-        mock_fb_auth.verify_id_token.side_effect = FakeExpiredError("expired")
-
-        creds = HTTPAuthorizationCredentials(scheme="Bearer", credentials="expired-token")
-        with pytest.raises(HTTPException) as exc_info:
-            await get_current_user(credentials=creds)
-        assert exc_info.value.status_code == 401
-        assert "expired" in exc_info.value.detail.lower()
-
-    @patch("backend.app.core.auth.firebase_auth")
-    async def test_invalid_token_raises_401(self, mock_fb_auth):
-        """A tampered / invalid Firebase token should raise HTTP 401."""
-        from backend.app.core.auth import get_current_user
-
-        class FakeInvalidError(Exception):
-            pass
-
-        mock_fb_auth.ExpiredIdTokenError = Exception
-        mock_fb_auth.InvalidIdTokenError = FakeInvalidError
-        mock_fb_auth.verify_id_token.side_effect = FakeInvalidError("invalid")
-
-        creds = HTTPAuthorizationCredentials(scheme="Bearer", credentials="bad-token")
-        with pytest.raises(HTTPException) as exc_info:
-            await get_current_user(credentials=creds)
-        assert exc_info.value.status_code == 401