Load DB in steps

[gkorland]

Fix #160

Summary by CodeRabbit

• New Features
  • API Tokens: generate, view, and delete tokens via a new modal and user profile “API Tokens” button.
  • Database connection now streams step-by-step progress with visual indicators.
  • Optional MCP endpoints exposed; can be toggled via configuration.
• Documentation
  • Docker-first Quickstart, expanded development/testing guides, and MCP instructions.
  • New Token Management documentation.
  • Reorganized environment example (.env.example) for simpler setup.
• Chores
  • Dependency updates: add fastapi-mcp; bump litellm.
  • Ignore demo_tokens.py in version control.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Adds MCP support and router mounting, introduces streaming database connection steps, implements API token management (backend endpoints, frontend UI/TS, styles, templates), updates auth to accept API tokens, tightens typings, and revises docs/config (Docker-first, MCP toggle, env variables). Dependencies updated (fastapi-mcp, litellm bump).

Changes

Cohort / File(s)	Summary
Docs and Configuration README.md, .env.example, .github/copilot-instructions.md, TOKEN_MANAGEMENT.md, .github/wordlist.txt, .gitignore	Reworked docs to Docker-first, added MCP docs/toggle, env var reshuffle (FALKORDB_URL, DISABLE_MCP), added token management spec, extended wordlist, ignored demo_tokens.py.
Dependencies Pipfile, package.json	Added fastapi-mcp (~=0.4.0), bumped litellm to ~=1.76.0, added file dependency "queryweaver-app".
MCP Integration and Routing api/app_factory.py, api/routes/graphs.py	Conditional MCP mounting via FastApiMCP with operations; added operation_id metadata; tightened request model list[str].
Database Streaming Flow api/routes/database.py, app/templates/components/database_modal.j2, app/public/css/modals.css, app/ts/modules/modals.ts	Backend streams connect steps using MESSAGE_DELIMITER; frontend modal shows incremental steps; UI hooks/styles added.
Auth and Token API api/auth/user_management.py, api/routes/tokens.py	Added API-token extraction helper; token_required supports OAuth or API token; new token endpoints (generate/list/delete) with graph queries and router.
Token UI and Wiring app/templates/components/token_modal.j2, app/templates/components/user_profile.j2, app/templates/chat.j2, app/public/css/buttons.css, app/public/css/modals.css, app/ts/modules/tokens.ts, app/ts/app.ts	New token management modal, profile button, inclusion in chat; styles; TS module to manage tokens; wired into app init.
Minor/Type Cleanups api/agents/relevancy_agent.py, api/routes/auth.py	Type hints refined to list[str]; removed extra blank lines.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant U as User
  participant FE as Frontend (Modal)
  participant BE as FastAPI /database
  participant Loader as Schema Loader

  U->>FE: Click "Connect"
  FE->>BE: POST /database { url }
  BE-->>FE: stream: reasoning_step "Starting connection"
  BE->>BE: Detect DB type (postgres/mysql)
  BE-->>FE: stream: reasoning_step "Detected type: X"
  BE->>Loader: load schema
  alt success
    BE-->>FE: stream: final_result { success, schema }
    FE->>FE: Show success step, close modal, reload
  else error
    BE-->>FE: stream: error { message }
    FE->>FE: Show error step/alert
  end

Loading

sequenceDiagram
  autonumber
  participant C as Client
  participant APP as FastAPI App
  participant MCP as FastApiMCP

  C->>APP: Startup
  APP->>APP: Read DISABLE_MCP
  alt MCP enabled
    APP->>MCP: Initialize "queryweaver" ops
    APP->>APP: mount /mcp endpoints
  else MCP disabled
    APP->>APP: Skip MCP mount
  end

Loading

sequenceDiagram
  autonumber
  participant U as User
  participant FE as Token Modal (TS)
  participant API as /api/tokens
  participant Auth as token_required

  U->>FE: Open "API Tokens"
  FE->>API: GET /list (credentials)
  API->>Auth: Validate (OAuth or API token)
  API-->>FE: { tokens: [...] }

  U->>FE: Generate token
  FE->>API: POST /generate
  API-->>FE: { token_id, created_at }
  FE->>FE: Show full token once

  U->>FE: Delete token
  FE->>API: DELETE /{last4}
  API-->>FE: 200 OK
  FE->>FE: Refresh list, show success

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Database load should return steps in HTTP stream (#160)	✅

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Add MCP integration and conditional mounting (api/app_factory.py: multiple additions)	MCP enablement not part of streaming database steps objective.
Introduce token management endpoints and router (api/routes/tokens.py: entire file)	Token CRUD API unrelated to streaming database steps.
Add token extraction and auth flow changes (api/auth/user_management.py: multiple additions)	Broad auth refactor beyond the streaming requirement.
Frontend token management module and UI (app/ts/modules/tokens.ts, app/templates/components/token_modal.j2)	Token UI not required for the streaming steps objective.
MCP and token docs/spec additions (README.md, TOKEN_MANAGEMENT.md)	Documentation unrelated to the specific streaming objective.

Possibly related PRs

• Add MCP server #153 — Adds MCP support and similar app_factory/Pipfile/env changes.
• Staging #129 — Overlaps on auth and token handling with user_management and initialization paths.
• add left toolbar and show the graph schema #80 — Touches graphs routes where this PR adds operation_id and typing.

Suggested reviewers

• galshubeli

Poem

In burrows of code I hop and weave,
Streaming steps like leaves that leave;
Tokens twinkle, secrets tight,
MCP moons glow soft at night.
Click, connect—schemas bloom,
Thump-thump tests dispel the gloom.
Happy hops in QueryWeaver’s room! 🐇✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch load-steps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 6 package(s) with unknown licenses.
• ⚠️ 9 packages with OpenSSF Scorecard issues.

View full job summary

To address the vulnerability of exposing internal error information to users, the fix must prevent potentially sensitive data from being returned in streamed JSON responses. To do this, the PostgresLoader.load method (in api/loaders/postgres_loader.py) must never yield detailed exception messages, instead only yielding generic, safe error messages. Internal details can and should be logged on the server.

• Update the except blocks in PostgresLoader.load so that, instead of yielding f-strings containing str(e), they log that info and only yield a sanitized message to the caller (route).
• No changes are required in the route itself if we can guarantee that loader always yields only generic error messages (as the route already returns friendly error text in other places).
• Only file api/loaders/postgres_loader.py requires editing to update the error yielding logic.

---