Astra Architecture¶
Astra is a package-first authentication and authorization platform for Python applications. The repository is organized as a workspace of separately installable packages that share a common runtime model, but each package has a clear ownership boundary. The platform can be used as a library inside an application, mounted through framework adapters, operated through the CLI, or inspected through the browser admin UI.
This document describes the current architecture, runtime flows, security model, package boundaries, persistence strategy, operator tooling, documentation structure, and Version 1 release readiness.
Architecture Goals¶
Astra is designed around these goals:
- Keep the core authentication and authorization model framework-neutral.
- Compose runtime services from explicit stores, registries, providers, and managers.
- Make framework adapters thin wiring layers over the same service and HTTP adapter contracts.
- Support package-by-package adoption instead of forcing one monolithic server.
- Keep operational workflows scriptable through the CLI and inspectable through the browser admin UI.
- Make secrets, token keys, setup artifacts, audit records, and throttling state explicit runtime-home assets.
- Prefer local, testable Python contracts over hidden external services.
| Public Name | Technical Package / Namespace | Description |
|---|---|---|
Astra Yantra |
astraauth (astraauth.core) |
Core platform domain models, persistence drivers, and auth protocols |
Astra Sutra |
astraauth (astraauth.service) |
Runtime service execution engine, session validators, and setup helpers |
Astra Setu |
astraauth (astraauth.adapters) |
Web framework adapters and HTTP middleware layers |
Astra Tantra |
astraauth-plugins (astraauth_plugins / astraauth.plugins) |
Plugin hub and hook extension registry |
Astra Pramaan |
astraauth (astraauth.idp) |
OIDC federation providers and discovery routing |
Astra Mudra |
astraauth (astraauth.webauthn) |
WebAuthn verification contracts and authentication |
Astra Niyam |
astraauth-policy (astraauth_policy) |
Zanzibar-style ReBAC schema parsing and permission solving |
Astra Mandal |
astraauth-tenancy (astraauth_tenancy) |
Multi-tenancy isolation and dynamic routing |
Astra Dwaar |
astraauth-cli (astraauth_cli) |
Operator CLI tool and Textual TUI panel |
Astra Netra |
astraauth-admin-ui (astraauth_admin_ui) |
Operator Web Admin Console dashboard |
The root distribution astraauth contains the primary library code. Ancillary utilities compile against it as workspace members.
Repository Layout¶
Astra/
|-- docs/ Published documentation source
|-- examples/ Polished E2E framework sample applications and demos
|-- src/
| `-- astraauth/ Consolidated package source
| |-- core/ Core domain and persistence layers
| |-- service/ Observability and composition facade
| |-- adapters/ Framework adapters (fastapi, django, etc.)
| |-- idp/ Enterprise OIDC federation
| |-- webauthn/ WebAuthn ceremony verifiers
| `-- plugins/ Core plugins engine and contracts
|-- packages/
| |-- astraauth-cli/ Operator CLI (Astra Dwaar)
| |-- astraauth-admin-ui/ Browser admin UI (Astra Netra)
| |-- astraauth-plugins/ Plugins hub and built-in implementations (Astra Tantra)
| |-- astraauth-policy/ ReBAC access policy engine (Astra Niyam)
| `-- astraauth-tenancy/ Multi-tenancy isolation routing (Astra Mandal)
|-- tests/ Consolidated tests suite
|-- zensical.toml Documentation site configuration
|-- pyproject.toml Workspace root configuration
|`-- uv.lock Workspace dependency lock
High-Level Runtime Model¶
Astra has a consolidated runtime model:
- Core domain components and services (under
astraauth.core,astraauth.idp,astraauth.webauthn, andastraauth.plugins) define protocols, storage models, and encryption parameters. - The service submodule (
astraauth.service) composes these pieces into anAstraAuthServicefacade. - Framework adapters (
astraauth.adapters) map framework-specific request/response objects to the core HTTP adapter contracts. - Operator tools (
astraauth-cli,astraauth-admin-ui) load the core service facade.
flowchart TB
App[Python application] --> Adapter[Framework adapter]
Adapter --> HTTP[OAuthHTTPAdapter]
HTTP --> Service[AstraAuthService]
CLI[Astra Dwaar CLI] --> Startup[Runtime startup helpers]
Admin[Astra Netra browser UI] --> Startup
Startup --> Service
Service --> Core[astraauth.core]
Service --> IdP[astraauth.idp]
Service --> Plugins[astraauth.plugins]
Service --> WebAuthn[astraauth.webauthn]
Core --> Stores[Session, MFA, plugin, IDP stores]
Core --> Keys[TokenKeyManager]
Stores --> Persistence[SQLite, Postgres, MySQL, memory]
Keys --> RuntimeHome[Runtime home secrets]
Core Package Architecture¶
astraauth.core owns the platform's framework-neutral domain model.
Configuration¶
The configuration model is centered on AuthConfig and related settings models:
AuthConfigdefines project name, environment, issuer, token TTL, clock skew, signing and encryption algorithms, dev mode, persistence, IDP, and observability settings.PersistenceConfigmaps logical stores to relational store configs.RelationalStoreConfigsupports SQLite, Postgres, and MySQL DSNs for sync and async modes.- Settings can be saved as encrypted JSON under the runtime home.
- Runtime settings key custody is tracked through metadata so diagnostics can report stale or missing keys.
Runtime config is file-backed by default. This makes local development, CI, package examples, and operator backup workflows deterministic.
Persistence¶
The relational abstraction normalizes DSNs, infers dialects, compiles SQL placeholders, and creates sync or async database handles.
Supported persistence modes include:
- In-memory stores for tests, examples, and embedded use.
- SQLite for local runtime homes and package-first deployments.
- Postgres for production deployments that need external relational persistence.
- MySQL for production deployments that standardize on MySQL-compatible storage.
- Redis session store support for session-specific deployments.
The relational layer uses protocol-style cursor and connection interfaces so downstream stores can be written once and backed by different database drivers.
OAuth, Sessions, and Tokens¶
Core OAuth responsibilities include client validation, authorization code flow with PKCE, refresh token rotation, password grants, API key grants, token exchange scaffolding, OIDC ID token claim building, and token validation.
TokenKeyManager is the central authority for token key material:
- Bootstraps signing and encryption RSA keys when no persisted key state exists.
- Issues signed JWT access and ID tokens.
- Issues and decrypts encrypted JWE payloads.
- Verifies JWT claims, issuer, audience, schema version, expiry, and not-before windows.
- Rotates signing or encryption keys independently.
- Exposes public JWKS.
- Dumps and restores private key state for runtime-home persistence and operator backup workflows.
Sessions are first-class records with subject, tenant, client, scopes, issue and expiry times, revoked state, version, ACR, AMR, and auth time. Session stores include in-memory, SQL, async SQL, and Redis-backed implementations.
MFA and Authorization¶
MFA support includes TOTP factor enrollment and activation, email OTP code delivery and verification, MFA challenge creation, and session upgrade after verified challenge state. WebAuthn lives in astraauth.webauthn, but integrates with core MFA challenge and session upgrade contracts.
Authorization combines role assignment and policy evaluation:
Rolemodels named permission sets.- Tenant-scoped role assignments connect subjects to roles per tenant.
- Authorization engine resolves roles and permissions.
- Policy rules can return allow, deny, or step-up outcomes.
- Scope policy maps permissions to OAuth scopes and can enforce strict scope filtering.
This provides a hybrid baseline: RBAC for common tenant authorization, policy rules for context-sensitive decisions, and STEP_UP for flows requiring stronger authentication.
Security Utilities¶
Core security utilities include shared throttling, in-memory throttling, security header helpers, password hashing abstractions, API key digesting, and redaction-aware operator output. The shared throttle store is used by runtime and admin UI workflows so repeated failures and sensitive actions can be rate-limited across workers.
Service Package Architecture¶
astraauth.service composes domain pieces into a deployable runtime.
Service Facade¶
AstraAuthService includes:
- HTTP adapter.
- OAuth clients, subjects, authorization codes, sessions, roles, assignments, password authenticator, and API key authenticator.
- Token manager.
- Plugin runtime and hook runner.
- MFA challenge and factor stores.
- Email OTP delivery abstraction.
- WebAuthn handler and repositories.
- OIDC federation handler and repositories.
- Throttle store.
The service facade exposes convenience methods for adding clients, subjects, roles, plugin registrations, OIDC providers, and MFA enrollments.
Runtime Composition¶
build_service builds an in-memory or persisted service from an AuthConfig. It selects stores based on configured persistence:
- In-memory backend for ephemeral/default use.
- SQL stores when configured for SQLite, Postgres, or MySQL.
- Plugin registry and throttle store based on persistence settings.
- WebAuthn repositories using the MFA persistence backend.
- IDP repositories using the IDP persistence backend.
build_service_from_home loads runtime config and token key state from the runtime home, builds the service, and applies the bootstrap manifest.
Runtime Home¶
The runtime home is the operational state directory. By default it is .astraauth in the project root unless ASTRAAUTH_HOME or --home points elsewhere.
| Path | Purpose |
|---|---|
config.json |
Runtime configuration, encrypted by default. |
bootstrap.json |
Bootstrap admin records and setup tokens. |
secrets/settings.key |
Fernet key used to encrypt runtime config and state artifacts. |
secrets/settings-key-metadata.json |
Settings key custody metadata. |
secrets/token-keys.json |
Persisted private token key state, encrypted by default. |
logs/plugin-runtime-audit.jsonl |
Plugin hook and endpoint audit records. |
admin-actions.json |
Admin UI action audit trail, encrypted by runtime mapping. |
data/ |
SQLite databases and shared throttle stores. |
Bootstrap and Operator Functions¶
Bootstrap supports first-run operator setup:
initialize_config_homewrites config.create_bootstrap_setup_tokencreates short-lived setup tokens.verify_bootstrap_setup_tokenvalidates setup tokens.write_initial_admin_setupwrites bootstrap admin records.lock_bootstrap_setupdisables future setup-token issuance.apply_bootstrap_manifestloads bootstrap admins into the runtime service.
The service package also exports runtime config load, validate, reload, export, and import helpers; token key manager load, save, export, import, rotate, and JWKS export helpers; runtime health, inventory, persistence, security, diagnostics, and observability reports; backup artifact verification; and audit listing.
The operator API is intentionally Python-callable so CLI commands, admin UI endpoints, tests, and custom deployments can share the same behavior.
HTTP Adapter and Framework Adapters¶
The core HTTP boundary uses framework-neutral request and response types:
NormalizedRequestContextrepresents method, path, query params, headers, form data, cookies, client IP, and JSON body.HttpResponserepresents status, body, and headers.OAuthHTTPAdapterroutes normalized HTTP operations into token, authorize, introspection, logout, MFA, WebAuthn, and OIDC flows.
Framework adapters live in astraauth.adapters and map framework-specific primitives into the normalized contract.
Supported adapter products include ASGI, FastAPI, Flask, Django, Litestar, and Robyn.
Adapter responsibilities are intentionally narrow:
- Read request input from the framework.
- Build a
NormalizedRequestContext. - Call the shared
OAuthHTTPAdapter. - Convert
HttpResponseback into the framework response type. - Apply common security headers and origin policy behavior where applicable.
This keeps protocol behavior centralized and prevents framework-specific drift.
Plugin Architecture¶
astraauth-plugins provides extension points without making the core runtime dynamic or unsafe by default.
Key concepts include Plugin, PluginManifest, PluginRuntime, PluginTrustPolicy, PluginAuditRecord, and tenant plugin registry stores.
Plugin execution supports:
- Hook execution with fail-open or fail-closed behavior.
- Tenant-specific plugin enablement.
- Endpoint extensions with allowed table controls.
- Audit callbacks so service runtime can write plugin audit logs.
The service package wires plugin audit records to logs/plugin-runtime-audit.jsonl when an observability home is configured.
OIDC Federation Architecture¶
astraauth.idp owns external identity provider federation.
Major components:
OIDCProviderConfigdescribes external provider settings.- Metadata discovery validates issuer metadata and endpoints.
- Login state records carry state, nonce, PKCE verifier, redirect URI, tenant, and expiry.
- Callback completion exchanges code, validates ID token, fetches userinfo, and returns an external profile.
- Identity link repository maps external identity to local subject ID.
- Group-role mappings convert external groups into local roles.
- Claim-attribute mappings transform external claims into subject attributes.
- Federation audit repository records success and failure outcomes.
The service package wraps this in ServiceOIDCHandler, which synchronizes subjects, resolves local roles, issues local Astra tokens, and writes audit records.
WebAuthn Architecture¶
astraauth.webauthn owns passkey/WebAuthn ceremony state and verification contracts.
Major pieces:
WebAuthnCredentialstores credential ID, subject, tenant, public key, transports, sign count, and creation time.WebAuthnRegistrationStatestores registration challenge state.WebAuthnAuthenticationStatestores authentication challenge state linked to MFA challenges.- In-memory, SQL, and async SQL repositories cover credential and state persistence.
LocalDevelopmentWebAuthnVerifiersupports explicit unsafe local development behavior only.ProductionBaselineWebAuthnVerifierenforces basic non-empty material and sign-count advancement.PyWebAuthnVerifierintegrates with the optionalwebauthnlibrary and requires full ceremony responses.build_default_webauthn_verifierprefers the optional library and falls back to the production baseline.
WebAuthn integrates with MFA as a step-up factor. A verified WebAuthn authentication can upgrade session ACR and AMR through the core MFA/session services.
ReBAC Policy Architecture¶
astraauth_policy (Astra Niyam) implements a Zanzibar-style relationship-based access control (ReBAC) system:
- Schema Parser (
parser.py) compiles KeyNetra-style entity relationship and permission definitions from a structured DSL. - Check Solver Engine (
engine.py) recursively processes permission and relationship checks. It includes circular loop detection via visited paths tracing and depth limit constraints. - Relation Tuple Store (
store.py) structures direct relationship tuples matching the(subject, relation, object)assertion form.
Multi-Tenancy Architecture¶
astraauth_tenancy (Astra Mandal) handles operator workspace boundaries and dynamic request context binding:
- Tenant Workspace (
models.py) defines tenant schemas, database connection parameters, and maximum entity counts. - Context Routing (
middleware.py) persists bound tenant contexts inside async/thread-safecontextvars. - Middleware integration maps incoming request headers (e.g.
X-Tenant-ID) to the context wrapper via ASGI middleware and Flask hooks.
CLI Architecture¶
astraauth.cli exposes operator flows through Typer. The installed console script is astra.
Command groups include:
- Setup and config:
config-home,config-init,validate-config,config-export,config-import,config-key-rotate. - Runtime inspection:
health,doctor,observability,security,persistence-info,schema-ensure,runtime-inventory. - Backup and recovery:
state-export,state-import,backup-verify. - Key management:
key-jwks,key-export,key-import,key-rotate. - Bootstrap and setup:
init-admin,bootstrap-token-create,bootstrap-token-purge,bootstrap-lockdown,bootstrap-show,bootstrap-export,bootstrap-import. - Audits:
oidc-audit,admin-audit,plugin-audit. - Interactive flows:
wizard,admin-ui.
The CLI does not own separate business logic. It delegates to service startup/operator helpers and uses display helpers for redacted JSON and readable terminal output.
There are two CLI interactive modes:
astra wizard: setup-focused flow for config initialization, security inspection, admin creation, and key rotation.astra admin-ui: by default, serves the browser-based admin UI console (Astra Netra). Alternatively, run with--tuito launch the terminal-based admin dashboard.
Browser Admin UI Architecture¶
astraauth-admin-ui provides Astra Netra, a browser-based admin dashboard.
Run it with:
Then open:
The UI stack uses FastAPI routes, Jinja templates, local static assets, htmx partial updates, encrypted cookie session state, CSRF tokens, shared throttling, no-store caching, and security headers.
Browser Routes¶
| Route | Purpose |
|---|---|
GET / |
Main shell. Loads sidebar and main region through htmx. |
GET /partials/sidebar |
Sidebar after authentication. |
GET /partials/main |
Chooses setup, login, or dashboard view based on runtime state. |
POST /partials/session/login |
Authenticates operator admin. |
POST /partials/session/logout |
Clears session and redirects to /. |
GET /partials/dashboard/summary |
Summary cards. |
GET /partials/dashboard/runtime |
Runtime health and inventory panel. |
GET /partials/dashboard/infrastructure |
Persistence, JWKS, security, plugin audit, and throttle panel. |
GET /partials/dashboard/oidc-audit |
OIDC federation audit panel. |
GET /partials/dashboard/admin-audit |
Admin action audit panel. |
POST /partials/actions/config-init |
Initializes runtime config. |
POST /partials/actions/init-admin |
Creates bootstrap admin. |
POST /partials/actions/key-rotate |
Rotates signing or encryption runtime keys. |
JSON API routes mirror the same operations for programmatic use:
| Route | Purpose |
|---|---|
GET /api/session |
Current setup/session status. |
POST /api/session/login |
JSON login. |
POST /api/session/logout |
JSON logout. |
GET /api/dashboard |
Dashboard payload. |
GET /api/observability |
Observability report. |
GET /api/security |
Security report. |
GET /api/oidc-audit |
OIDC audit records. |
GET /api/admin-audit |
Admin action records. |
GET /api/plugin-audit |
Plugin runtime audit records. |
POST /api/actions/config-init |
JSON config initialization. |
POST /api/actions/init-admin |
JSON bootstrap admin creation. |
POST /api/actions/key-rotate |
JSON runtime key rotation. |
UI State Flow¶
The UI starts in one of three states:
- Setup mode: no usable bootstrap admin exists. The UI asks for a bootstrap setup token, config values, and first admin details.
- Login mode: config and admin records exist, but the browser session is not authenticated.
- Dashboard mode: an authenticated operator session exists.
stateDiagram-v2
[*] --> Setup: setup_required
[*] --> Login: configured, no session
Setup --> Login: config and admin created
Login --> Dashboard: operator login succeeds
Dashboard --> Login: logout
Dashboard --> Dashboard: partial dashboard refresh
Dashboard --> Dashboard: config init, admin init, key rotate
Admin UI Security Controls¶
The browser UI enforces:
- CSRF tokens for HTML form actions and JSON mutation routes.
- Encrypted session cookies using the runtime settings key.
- HttpOnly cookies with strict SameSite policy.
- Secure cookies when served over HTTPS.
- Login throttling by client, tenant, and username.
- Sensitive action throttling by client, actor, and action.
- Admin action audit logging for login, logout, config initialization, admin creation, key rotation, failures, and throttling.
- Security headers including CSP, frame denial, no-sniff, referrer policy, permissions policy, cross-origin opener policy, and no-store caching on dynamic responses.
End-to-End Request Flows¶
Authorization Code Flow¶
sequenceDiagram
participant Browser
participant Framework
participant Adapter
participant Service
participant Core
participant Store
Browser->>Framework: GET /authorize
Framework->>Adapter: Framework request
Adapter->>Service: NormalizedRequestContext
Service->>Core: start_authorization
Core->>Store: save authorization code
Service-->>Adapter: redirect response
Adapter-->>Browser: 302 redirect with code
Browser->>Framework: POST /token
Framework->>Adapter: form data
Adapter->>Service: token request
Service->>Core: exchange_code_for_tokens
Core->>Store: mark code used, create session
Core->>Core: issue JWT and refresh token
Service-->>Adapter: token response
Adapter-->>Browser: JSON token payload
Password, API Key, and MFA Step-Up Flow¶
- The HTTP adapter receives
/tokenform data. - The OAuth service validates the client and requested scopes.
- Password or API key authenticator resolves the subject.
- Authorization resolves roles and permissions.
- Scope policy filters or rejects scopes.
- A session is issued.
- Access token, ID token when applicable, and refresh token are returned.
- If required ACR is not satisfied, an MFA challenge response can be returned instead.
- TOTP, email OTP, or WebAuthn verification upgrades the session ACR and AMR.
- Token service issues tokens containing updated
acrandamrclaims.
OIDC Federation Flow¶
- Client starts OIDC login for a configured provider and tenant.
- IDP package discovers metadata, creates state, nonce, and PKCE verifier.
- User is redirected to the external provider authorization endpoint.
- Callback validates state and exchanges code.
- ID token is validated and userinfo is fetched.
- External identity is linked or resolved to a local subject.
- Group and claim mappings produce local roles and subject attributes.
- Service issues local Astra tokens.
- Federation audit is recorded.
Plugin Hook Flow¶
- Service calls hook runner with hook name, tenant ID, and payload.
- Plugin runtime finds registered and tenant-enabled plugins.
- Trust policy validates manifest constraints where configured.
- Runtime executes plugins in controlled hook flow.
- Fail-open or fail-closed behavior determines outcome on plugin failure.
- Runtime emits audit records through the configured audit callback.
- Service continues with adjusted payload or fails closed.
Data and State Ownership¶
| State | Owner package | Store type |
|---|---|---|
| Runtime config | astraauth.core and astraauth.service |
Runtime-home JSON, encrypted by default |
| Token keys | astraauth.core and astraauth.service |
Runtime-home JSON, encrypted by default |
| Sessions | astraauth.core |
In-memory, SQL, async SQL, Redis |
| Authorization codes | astraauth.core |
In-memory baseline |
| OAuth clients and subjects | astraauth.core and astraauth.service |
In-memory baseline, service composition |
| MFA challenges and factors | astraauth.core |
In-memory, SQL |
| WebAuthn credentials and states | astraauth.webauthn |
In-memory, SQL, async SQL |
| OIDC login states, links, mappings, audits | astraauth.idp |
In-memory, SQL |
| Tenant plugin registry | astraauth.plugins |
In-memory, SQL |
| Plugin audit | astraauth.service |
JSONL under runtime home |
| Admin UI audit | astraauth.service and astraauth-admin-ui |
Encrypted runtime-home JSON |
| Throttle buckets | astraauth.core |
In-memory or shared SQLite/relational store |
Security Architecture¶
Astra's current security architecture has several layers.
Token Security¶
- JWTs are signed with managed RSA signing keys.
- JWE support is available for encrypted payloads.
- Active signing and encryption keys are tracked independently.
- Token schema version is validated.
- Issuer, audience, expiration, not-before, and clock skew are validated.
- Public JWKS exposes non-private key material.
- Private key state is persisted encrypted by default.
Runtime Secret Custody¶
- Runtime config and key exports use the settings key.
- Settings key metadata tracks key ID, creation time, active state, and rotation time.
- Diagnostics report missing, stale, or weak-permission settings key state.
- Config import re-encrypts by default.
- Runtime state export encrypts bootstrap content by default.
- Recipient public/private key workflows support portable encrypted backup handoff.
Passwords, API Keys, and Admin Safety¶
- Password verification is abstracted behind verifier protocols.
- API keys are digested before storage.
- CLI and display helpers redact sensitive values from JSON output.
- Browser admin UI uses encrypted cookies and CSRF protection.
- Dynamic admin UI responses are no-store.
- Sensitive actions are throttled.
- Login failures are throttled.
- Admin actions are audited.
- Bootstrap setup tokens are short-lived and can be purged or locked down.
Plugin Safety¶
- Plugin manifests and trust policy provide a controlled extension boundary.
- Endpoint extension access can be constrained to allowed tables.
- Hook execution supports fail-closed behavior.
- Plugin audit records include tenant, plugin name, execution type, target, status, failure classification, and duration.
Observability and Diagnostics¶
Astra exposes operational diagnostics through service helpers, CLI commands, and admin UI panels:
- Runtime health reports service composition, environment, issuer, persistence backends, provider counts, and plugin counts.
- Runtime inventory reports OIDC providers, registered plugins, tenant plugin enablement, and bootstrap admin count.
- Persistence reports logical stores, backend, mode, and DSN.
- Runtime diagnostics report config validity, key custody, token-key validity, bootstrap validity, admin audit existence, and warnings/issues.
- Runtime observability reports structured logging and metrics settings plus counters.
- Runtime security report includes throttle state and plugin audit state.
CLI commands such as astra health, astra doctor, astra observability, astra security, and astra persistence-info expose the same data from scripts.
Documentation Architecture¶
Published docs are configured through zensical.toml.
Current top-level sections are:
- Home
- Getting Started
- User Guide
- Examples
- Platform
- API Reference
- About
The docs source includes:
- User-facing guides under
docs/getting-startedanddocs/user-guide. - Example documentation under
docs/examples. - Platform status and package information under
docs/about. - Generated or API-focused pages under
docs/api.
For Version 1, docs should make these distinctions clear:
- Product concepts belong in User Guide.
- Runtime operations belong in Platform or a dedicated Operations section.
- API pages should stay technical and package-oriented.
- Package READMEs should stay short and point to canonical docs.
- Examples should map one-to-one to supported products and runnable example files.
- Browser admin UI and terminal admin UI must be documented as different tools.
Current Quality Gates¶
The following checks represent the current local quality gates:
uv run ty check --error-on-warning --output-format concise
.venv\Scripts\python.exe -m ruff check .
.venv\Scripts\python.exe -m pytest packages -o "addopts=-q --strict-markers --tb=short -p no:cacheprovider"
.venv\Scripts\zensical.exe build --strict
The project should not be released unless these pass from a clean checkout after dependency sync.
Version 1 Readiness Assessment¶
Code Correctness Status¶
The code is in strong shape for a pre-1.0 release candidate when the full local gates pass:
- Type checking passes with warnings treated as failures.
- Ruff linting passes.
- Package tests pass.
- Strict docs build passes.
- Key runtime flows are covered by tests: config, bootstrap, token keys, service composition, adapters, MFA, OIDC federation, plugins, WebAuthn, CLI, examples, and admin UI.
Documentation Correctness Status¶
Docs are structurally buildable and navigable through zensical.toml. The documentation covers installation, quick start, configuration, authentication, authorization, MFA, OIDC, plugins, abuse controls, examples, package summaries, status, API reference, CLI, and admin UI.
For Version 1, docs still need a final editorial pass focused on:
- Removing or clearly labeling old phase/RFC language from user-facing pages.
- Ensuring every command documented in package READMEs has a canonical page in published docs.
- Ensuring examples docs cover all currently supported products: FastAPI, Flask, Django, Litestar, Robyn, ASGI, CLI, admin UI, plugins, OIDC, MFA, WebAuthn, and backup/export flows.
- Ensuring the browser admin UI and terminal admin UI distinction is clear everywhere.
- Ensuring status pages do not promise future packages as current shipped features.
Version 1 Release Decision¶
Current recommendation: Astra is close to a Version 1 release candidate, but should not be tagged as Version 1 until the final release checklist is completed from a clean working tree.
Blocking items before a true Version 1 tag:
- Clean working tree review: confirm every modified, deleted, and untracked file is intentional.
- Package metadata audit: confirm names, versions, descriptions, extras, dependencies, classifiers, URLs, and README rendering for every workspace package.
- Public API freeze: decide which modules, classes, functions, commands, route contracts, and config fields are stable for 1.x.
- Documentation editorial pass: make docs coherent for users who did not see the implementation plan or phase history.
- Example pass: run and document all supported examples, including Django, Litestar, Robyn, admin UI, encrypted backup, plugin trust policy, and WebAuthn production verifier.
- Security release pass: verify setup-token behavior, admin UI CSRF/session behavior, key export/import behavior, password hashing migration posture, throttling, audit redaction, and backup encryption wording.
- Distribution dry run: build all wheels/sdists, run
twine check, install into a fresh virtualenv, and smoke-test CLI imports and core examples. - Publishing setup: configure and verify PyPI/TestPyPI trusted publishing or release credentials.
- Versioning decision: update all package versions consistently and ensure changelog/release notes match the final artifact.
If those items are completed and the gates above pass in a clean environment, the project can be treated as ready for a Version 1 release.
Recommended Version 1 Release Checklist¶
- Confirm git status contains only intentional release changes.
- Confirm deleted files are intentional.
- Normalize line endings if needed.
- Run
uv sync --all-groupsin a clean checkout. - Run
uv run ty check --error-on-warning --output-format concise. - Run
uv run ruff check .. - Run full package tests.
- Run strict docs build.
- Build all packages.
- Run
twine checkon produced artifacts. - Install the built artifacts into a fresh virtual environment.
- Run CLI smoke tests from installed artifacts.
- Run representative examples from installed artifacts.
- Review published docs navigation and search.
- Confirm PyPI project pages render expected README content.
- Tag the release only after artifacts and docs are confirmed.
Summary¶
Astra's architecture is modular, layered, and coherent: the core domain logic is framework-neutral, service composition centralizes runtime behavior, and web adapters remain extremely thin. Operational workflows are managed through the CLI (Astra Dwaar) and the web admin UI (Astra Netra), which interface with the same runtime-home state.
To guarantee release safety, the Quality Gates and the Recommended Version 1 Release Checklist are essential safeguards. They verify that linting, type-checking, E2E framework examples, and strict documentation builds pass successfully from a clean checkout prior to any distribution tag. Version 1 should be treated as a release candidate milestone until the final packaging and dry-runs are executed.