recon_xkg

Authorization + parsing helpers for the undocumented recon_xkg submit flag.

recon_xkg lets an allowlisted API key serve predictions from the persistent memoization store instead of recomputing everything. It is deliberately kept out of the public docs/OpenAPI schema. Unauthorized use is silently ignored (treated as a normal job) rather than rejected with a distinctive error, so the parameter’s existence is not confirmed to callers — attempts are only recorded server-side for audit.

Module Contents

recon_xkg.coerce_recon_xkg(raw) bool

Parse the multipart/JSON recon_xkg value into a bool (default False).

recon_xkg.is_recon_xkg_allowed(api_key) bool

Return True if api_key is on the ReconXKG allowlist.

Membership is the only authorization gate. Looks up an active ReconXkgAllowedKey row, with a brief per-process TTL cache. Any lookup error fails closed (returns False).

recon_xkg.resolve_recon_xkg(api_key, requested: bool) bool

Resolve the effective recon_xkg flag for a submission and audit-log it.

Returns True only when the flag was requested and the key is allowlisted. Unauthorized requests are logged (without leaking to the client) and downgraded to False.

recon_xkg.log_recon_xkg_outcome(*, api_key_id, public_id: str, row_count: int, hit_count: int, miss_count: int) None

Audit-log the hit/miss outcome of an authorized ReconXKG job.