feat(backend): optimize FastAPI endpoints performance and alert system (#11000)

## Summary

Comprehensive performance optimization fixing event loop binding issues
and addressing all PR feedback.

### Original Performance Issues Fixed

**Event Loop Binding Problems:**
- JWT authentication dependencies were synchronous, causing thread pool
bottlenecks under high concurrency
- FastAPI's default thread pool (40 threads) was insufficient for
high-load scenarios
- Backend services lacked proper event loop configuration

**Security & Performance Improvements:**
- Security middleware converted from BaseHTTPMiddleware to pure ASGI for
better performance
- Added blocks endpoint to cacheable paths for improved response times
- Cross-platform uvloop detection with Windows compatibility

### Key Changes Made

#### 1. JWT Authentication Async Conversion
- **Files**: `autogpt_libs/auth/dependencies.py`,
`autogpt_libs/auth/jwt_utils.py`
- **Change**: Convert all JWT functions to async (`requires_user`,
`requires_admin_user`, `get_user_id`, `get_jwt_payload`)
- **Impact**: Eliminates thread pool blocking, improves concurrency
handling
- **Tests**: All 25+ authentication tests updated to async patterns

#### 2. FastAPI Thread Pool Optimization  
- **File**: `backend/server/rest_api.py:82-93`
- **Change**: Configure thread pool size via
`config.fastapi_thread_pool_size`
- **Default**: Increased from 40 to higher limit for sync operations
- **Impact**: Better handling of remaining sync dependencies

#### 3. Performance-Optimized Security Middleware
- **File**: `backend/server/middleware/security.py`
- **Change**: Pure ASGI implementation replacing BaseHTTPMiddleware
- **Headers**: HTTP spec compliant capitalization
(X-Content-Type-Options, X-Frame-Options, etc.)
- **Caching**: Added `/api/blocks` and `/api/v1/blocks` to cacheable
paths
- **Impact**: Reduced middleware overhead, improved header compliance

#### 4. Cross-Platform Event Loop Configuration
- **File**: `backend/server/rest_api.py:311-312`
- **Change**: Platform-aware uvloop detection: `'uvloop' if
platform.system() != 'Windows' else 'auto'`
- **Impact**: Windows compatibility while maintaining Unix performance
benefits
- **Verified**: 'auto' is valid uvicorn default parameter

#### 5. Enhanced Caching Infrastructure
- **File**: `autogpt_libs/utils/cache.py:118-132`
- **Change**: Per-event-loop asyncio.Lock instances prevent cross-loop
deadlocks
- **Impact**: Thread-safe caching across multiple event loops

#### 6. Database Query Limits & Performance
- **Files**: Multiple data layer files
- **Change**: Added configurable limits to prevent unbounded queries
- **Constants**: `MAX_GRAPH_VERSIONS_FETCH=50`,
`MAX_USER_API_KEYS_FETCH=500`, etc.
- **Impact**: Consistent performance regardless of data volume

#### 7. OpenAPI Documentation Improvements
- **File**: `backend/server/routers/v1.py:68-85`
- **Change**: Added proper response model and schema for blocks endpoint
- **Impact**: Better API documentation and type safety

#### 8. Error Handling & Retry Logic Fixes
- **File**: `backend/util/retry.py:63`
- **Change**: Accurate retry threshold comments referencing
EXCESSIVE_RETRY_THRESHOLD
- **Impact**: Clear documentation for debugging retry scenarios

### ntindle Feedback Addressed

✅ **HTTP Header Capitalization**: All headers now use proper HTTP spec
capitalization
✅ **Windows uvloop Compatibility**: Clean platform detection with inline
conditional
✅ **OpenAPI Response Model**: Blocks endpoint properly documented in
schema
✅ **Retry Comment Accuracy**: References actual threshold constants
instead of hardcoded numbers
✅ **Code Cleanliness**: Inline conditionals preferred over verbose if
statements

### Performance Testing Results

**Before Optimization:**
- High latency under concurrent load
- Thread pool exhaustion at ~40 concurrent requests
- Event loop binding issues causing timeouts

**After Optimization:**
- Improved concurrency handling with async JWT pipeline
- Configurable thread pool scaling
- Cross-platform event loop optimization
- Reduced middleware overhead

### Backward Compatibility

✅ **All existing functionality preserved**  
✅ **No breaking API changes**  
✅ **Enhanced test coverage with async patterns**  
✅ **Windows and Unix compatibility maintained**

### Files Modified

**Core Authentication & Performance:**
- `autogpt_libs/auth/dependencies.py` - Async JWT dependencies
- `autogpt_libs/auth/jwt_utils.py` - Async JWT utilities  
- `backend/server/rest_api.py` - Thread pool config + uvloop detection
- `backend/server/middleware/security.py` - ASGI security middleware

**Database & Limits:**
- `backend/data/includes.py` - Performance constants and configurable
includes
- `backend/data/api_key.py`, `backend/data/credit.py`,
`backend/data/graph.py`, `backend/data/integrations.py` - Query limits

**Caching & Infrastructure:**
- `autogpt_libs/utils/cache.py` - Per-event-loop lock safety
- `backend/server/routers/v1.py` - OpenAPI improvements
- `backend/util/retry.py` - Comment accuracy

**Testing:**
- `autogpt_libs/auth/dependencies_test.py` - 25+ async test conversions
- `autogpt_libs/auth/jwt_utils_test.py` - Async JWT test patterns

Ready for review and production deployment. 🚀

---------

Co-authored-by: Claude <noreply@anthropic.com>

autogpt_platform/autogpt_libs/autogpt_libs/auth/dependencies.py

@@ -10,7 +10,7 @@ from .jwt_utils import get_jwt_payload, verify_user
 from .models import User
 
 
-def requires_user(jwt_payload: dict = fastapi.Security(get_jwt_payload)) -> User:
+async def requires_user(jwt_payload: dict = fastapi.Security(get_jwt_payload)) -> User:
     """
     FastAPI dependency that requires a valid authenticated user.
 
@@ -20,7 +20,9 @@ def requires_user(jwt_payload: dict = fastapi.Security(get_jwt_payload)) -> User
     return verify_user(jwt_payload, admin_only=False)
 
 
-def requires_admin_user(jwt_payload: dict = fastapi.Security(get_jwt_payload)) -> User:
+async def requires_admin_user(
+    jwt_payload: dict = fastapi.Security(get_jwt_payload),
+) -> User:
     """
     FastAPI dependency that requires a valid admin user.
 
@@ -30,7 +32,7 @@ def requires_admin_user(jwt_payload: dict = fastapi.Security(get_jwt_payload)) -
     return verify_user(jwt_payload, admin_only=True)
 
 
-def get_user_id(jwt_payload: dict = fastapi.Security(get_jwt_payload)) -> str:
+async def get_user_id(jwt_payload: dict = fastapi.Security(get_jwt_payload)) -> str:
     """
     FastAPI dependency that returns the ID of the authenticated user.
 

autogpt_platform/autogpt_libs/autogpt_libs/auth/dependencies_test.py

@@ -45,7 +45,7 @@ class TestAuthDependencies:
         """Create a test client."""
         return TestClient(app)
 
-    def test_requires_user_with_valid_jwt_payload(self, mocker: MockerFixture):
+    async def test_requires_user_with_valid_jwt_payload(self, mocker: MockerFixture):
         """Test requires_user with valid JWT payload."""
         jwt_payload = {"sub": "user-123", "role": "user", "email": "user@example.com"}
 
@@ -53,12 +53,12 @@ class TestAuthDependencies:
         mocker.patch(
             "autogpt_libs.auth.dependencies.get_jwt_payload", return_value=jwt_payload
         )
-        user = requires_user(jwt_payload)
+        user = await requires_user(jwt_payload)
         assert isinstance(user, User)
         assert user.user_id == "user-123"
         assert user.role == "user"
 
-    def test_requires_user_with_admin_jwt_payload(self, mocker: MockerFixture):
+    async def test_requires_user_with_admin_jwt_payload(self, mocker: MockerFixture):
         """Test requires_user accepts admin users."""
         jwt_payload = {
             "sub": "admin-456",
@@ -69,28 +69,28 @@ class TestAuthDependencies:
         mocker.patch(
             "autogpt_libs.auth.dependencies.get_jwt_payload", return_value=jwt_payload
         )
-        user = requires_user(jwt_payload)
+        user = await requires_user(jwt_payload)
         assert user.user_id == "admin-456"
         assert user.role == "admin"
 
-    def test_requires_user_missing_sub(self):
+    async def test_requires_user_missing_sub(self):
         """Test requires_user with missing user ID."""
         jwt_payload = {"role": "user", "email": "user@example.com"}
 
         with pytest.raises(HTTPException) as exc_info:
-            requires_user(jwt_payload)
+            await requires_user(jwt_payload)
         assert exc_info.value.status_code == 401
         assert "User ID not found" in exc_info.value.detail
 
-    def test_requires_user_empty_sub(self):
+    async def test_requires_user_empty_sub(self):
         """Test requires_user with empty user ID."""
         jwt_payload = {"sub": "", "role": "user"}
 
         with pytest.raises(HTTPException) as exc_info:
-            requires_user(jwt_payload)
+            await requires_user(jwt_payload)
         assert exc_info.value.status_code == 401
 
-    def test_requires_admin_user_with_admin(self, mocker: MockerFixture):
+    async def test_requires_admin_user_with_admin(self, mocker: MockerFixture):
         """Test requires_admin_user with admin role."""
         jwt_payload = {
             "sub": "admin-789",
@@ -101,51 +101,51 @@ class TestAuthDependencies:
         mocker.patch(
             "autogpt_libs.auth.dependencies.get_jwt_payload", return_value=jwt_payload
         )
-        user = requires_admin_user(jwt_payload)
+        user = await requires_admin_user(jwt_payload)
         assert user.user_id == "admin-789"
         assert user.role == "admin"
 
-    def test_requires_admin_user_with_regular_user(self):
+    async def test_requires_admin_user_with_regular_user(self):
         """Test requires_admin_user rejects regular users."""
         jwt_payload = {"sub": "user-123", "role": "user", "email": "user@example.com"}
 
         with pytest.raises(HTTPException) as exc_info:
-            requires_admin_user(jwt_payload)
+            await requires_admin_user(jwt_payload)
         assert exc_info.value.status_code == 403
         assert "Admin access required" in exc_info.value.detail
 
-    def test_requires_admin_user_missing_role(self):
+    async def test_requires_admin_user_missing_role(self):
         """Test requires_admin_user with missing role."""
         jwt_payload = {"sub": "user-123", "email": "user@example.com"}
 
         with pytest.raises(KeyError):
-            requires_admin_user(jwt_payload)
+            await requires_admin_user(jwt_payload)
 
-    def test_get_user_id_with_valid_payload(self, mocker: MockerFixture):
+    async def test_get_user_id_with_valid_payload(self, mocker: MockerFixture):
         """Test get_user_id extracts user ID correctly."""
         jwt_payload = {"sub": "user-id-xyz", "role": "user"}
 
         mocker.patch(
             "autogpt_libs.auth.dependencies.get_jwt_payload", return_value=jwt_payload
         )
-        user_id = get_user_id(jwt_payload)
+        user_id = await get_user_id(jwt_payload)
         assert user_id == "user-id-xyz"
 
-    def test_get_user_id_missing_sub(self):
+    async def test_get_user_id_missing_sub(self):
         """Test get_user_id with missing user ID."""
         jwt_payload = {"role": "user"}
 
         with pytest.raises(HTTPException) as exc_info:
-            get_user_id(jwt_payload)
+            await get_user_id(jwt_payload)
         assert exc_info.value.status_code == 401
         assert "User ID not found" in exc_info.value.detail
 
-    def test_get_user_id_none_sub(self):
+    async def test_get_user_id_none_sub(self):
         """Test get_user_id with None user ID."""
         jwt_payload = {"sub": None, "role": "user"}
 
         with pytest.raises(HTTPException) as exc_info:
-            get_user_id(jwt_payload)
+            await get_user_id(jwt_payload)
         assert exc_info.value.status_code == 401
 
 
@@ -170,7 +170,7 @@ class TestAuthDependenciesIntegration:
 
         return _create_token
 
-    def test_endpoint_auth_enabled_no_token(self):
+    async def test_endpoint_auth_enabled_no_token(self):
         """Test endpoints require token when auth is enabled."""
         app = FastAPI()
 
@@ -184,7 +184,7 @@ class TestAuthDependenciesIntegration:
         response = client.get("/test")
         assert response.status_code == 401
 
-    def test_endpoint_with_valid_token(self, create_token):
+    async def test_endpoint_with_valid_token(self, create_token):
         """Test endpoint with valid JWT token."""
         app = FastAPI()
 
@@ -203,7 +203,7 @@ class TestAuthDependenciesIntegration:
         assert response.status_code == 200
         assert response.json()["user_id"] == "test-user"
 
-    def test_admin_endpoint_requires_admin_role(self, create_token):
+    async def test_admin_endpoint_requires_admin_role(self, create_token):
         """Test admin endpoint rejects non-admin users."""
         app = FastAPI()
 
@@ -240,7 +240,7 @@ class TestAuthDependenciesIntegration:
 class TestAuthDependenciesEdgeCases:
     """Edge case tests for authentication dependencies."""
 
-    def test_dependency_with_complex_payload(self):
+    async def test_dependency_with_complex_payload(self):
         """Test dependencies handle complex JWT payloads."""
         complex_payload = {
             "sub": "user-123",
@@ -256,14 +256,14 @@ class TestAuthDependenciesEdgeCases:
             "exp": 9999999999,
         }
 
-        user = requires_user(complex_payload)
+        user = await requires_user(complex_payload)
         assert user.user_id == "user-123"
         assert user.email == "test@example.com"
 
-        admin = requires_admin_user(complex_payload)
+        admin = await requires_admin_user(complex_payload)
         assert admin.role == "admin"
 
-    def test_dependency_with_unicode_in_payload(self):
+    async def test_dependency_with_unicode_in_payload(self):
         """Test dependencies handle unicode in JWT payloads."""
         unicode_payload = {
             "sub": "user-😀-123",
@@ -272,11 +272,11 @@ class TestAuthDependenciesEdgeCases:
             "name": "日本語",
         }
 
-        user = requires_user(unicode_payload)
+        user = await requires_user(unicode_payload)
         assert "😀" in user.user_id
         assert user.email == "测试@example.com"
 
-    def test_dependency_with_null_values(self):
+    async def test_dependency_with_null_values(self):
         """Test dependencies handle null values in payload."""
         null_payload = {
             "sub": "user-123",
@@ -286,18 +286,18 @@ class TestAuthDependenciesEdgeCases:
             "metadata": None,
         }
 
-        user = requires_user(null_payload)
+        user = await requires_user(null_payload)
         assert user.user_id == "user-123"
         assert user.email is None
 
-    def test_concurrent_requests_isolation(self):
+    async def test_concurrent_requests_isolation(self):
         """Test that concurrent requests don't interfere with each other."""
         payload1 = {"sub": "user-1", "role": "user"}
         payload2 = {"sub": "user-2", "role": "admin"}
 
         # Simulate concurrent processing
-        user1 = requires_user(payload1)
-        user2 = requires_admin_user(payload2)
+        user1 = await requires_user(payload1)
+        user2 = await requires_admin_user(payload2)
 
         assert user1.user_id == "user-1"
         assert user2.user_id == "user-2"
@@ -314,7 +314,7 @@ class TestAuthDependenciesEdgeCases:
             ({"sub": "user", "role": "user"}, "Admin access required", True),
         ],
     )
-    def test_dependency_error_cases(
+    async def test_dependency_error_cases(
         self, payload, expected_error: str, admin_only: bool
     ):
         """Test that errors propagate correctly through dependencies."""
@@ -325,7 +325,7 @@ class TestAuthDependenciesEdgeCases:
             verify_user(payload, admin_only=admin_only)
         assert expected_error in exc_info.value.detail
 
-    def test_dependency_valid_user(self):
+    async def test_dependency_valid_user(self):
         """Test valid user case for dependency."""
         # Import verify_user to test it directly since dependencies use FastAPI Security
         from autogpt_libs.auth.jwt_utils import verify_user

autogpt_platform/autogpt_libs/autogpt_libs/auth/jwt_utils.py

@@ -16,7 +16,7 @@ bearer_jwt_auth = HTTPBearer(
 )
 
 
-def get_jwt_payload(
+async def get_jwt_payload(
     credentials: HTTPAuthorizationCredentials | None = Security(bearer_jwt_auth),
 ) -> dict[str, Any]:
     """

autogpt_platform/autogpt_libs/autogpt_libs/auth/jwt_utils_test.py

@@ -116,32 +116,32 @@ def test_parse_jwt_token_missing_audience():
     assert "Invalid token" in str(exc_info.value)
 
 
-def test_get_jwt_payload_with_valid_token():
+async def test_get_jwt_payload_with_valid_token():
     """Test extracting JWT payload with valid bearer token."""
     token = create_token(TEST_USER_PAYLOAD)
     credentials = HTTPAuthorizationCredentials(scheme="Bearer", credentials=token)
 
-    result = jwt_utils.get_jwt_payload(credentials)
+    result = await jwt_utils.get_jwt_payload(credentials)
     assert result["sub"] == "test-user-id"
     assert result["role"] == "user"
 
 
-def test_get_jwt_payload_no_credentials():
+async def test_get_jwt_payload_no_credentials():
     """Test JWT payload when no credentials provided."""
     with pytest.raises(HTTPException) as exc_info:
-        jwt_utils.get_jwt_payload(None)
+        await jwt_utils.get_jwt_payload(None)
     assert exc_info.value.status_code == 401
     assert "Authorization header is missing" in exc_info.value.detail
 
 
-def test_get_jwt_payload_invalid_token():
+async def test_get_jwt_payload_invalid_token():
     """Test JWT payload extraction with invalid token."""
     credentials = HTTPAuthorizationCredentials(
         scheme="Bearer", credentials="invalid.token.here"
     )
 
     with pytest.raises(HTTPException) as exc_info:
-        jwt_utils.get_jwt_payload(credentials)
+        await jwt_utils.get_jwt_payload(credentials)
     assert exc_info.value.status_code == 401
     assert "Invalid token" in exc_info.value.detail
 

autogpt_platform/autogpt_libs/autogpt_libs/utils/cache.py

@@ -115,12 +115,23 @@ def cached(
     """
 
     def decorator(target_func):
-        # Cache storage and locks
+        # Cache storage and per-event-loop locks
         cache_storage = {}
+        _event_loop_locks = {}  # Maps event loop to its asyncio.Lock
 
         if inspect.iscoroutinefunction(target_func):
-            # Async function with asyncio.Lock
-            cache_lock = asyncio.Lock()
+
+            def _get_cache_lock():
+                """Get or create an asyncio.Lock for the current event loop."""
+                try:
+                    loop = asyncio.get_running_loop()
+                except RuntimeError:
+                    # No event loop, use None as default key
+                    loop = None
+
+                if loop not in _event_loop_locks:
+                    return _event_loop_locks.setdefault(loop, asyncio.Lock())
+                return _event_loop_locks[loop]
 
             @wraps(target_func)
             async def async_wrapper(*args: P.args, **kwargs: P.kwargs):
@@ -141,7 +152,7 @@ def cached(
                                 return result
 
                 # Slow path: acquire lock for cache miss/expiry
-                async with cache_lock:
+                async with _get_cache_lock():
                     # Double-check: another coroutine might have populated cache
                     if key in cache_storage:
                         if ttl_seconds is None: