Skip to content

mlsys-io/lumid.flowmesh-plugin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
src/lumid_flowmesh_plugin
src/lumid_flowmesh_plugin
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
uv.lock
uv.lock
 
 

Repository files navigation

lumid-flowmesh-plugin

FlowMesh V2 plugin that bridges lum.id identity, Runmesh billing, and supplier attribution. Loaded into a FlowMesh Server process via FLOWMESH_PLUGINS=lumid_flowmesh_plugin.

What it provides

Hook Behaviour
IdentityProvider Resolves bearer tokens via POST {LUM_ID_BASE_URL}/oauth/introspect. Accepts lum.id JWT and lm_pat_* PATs. Caches active introspect responses for 60 s, sha256-keyed, capped at 10 k entries. Maps flowmesh:* scopes to FlowMesh's vocabulary. Stashes principal_id → email for later use by the usage sink.
SubmissionGuard Optional GPU-rental balance preflight against Runmesh. Off by default (LUMID_BALANCE_GUARD=on to enable). Fails open on Runmesh outage.
UsageSink Mirrors usage rows to POST {RUNMESH_BILLING_BASE_URL}/billing/flowmesh-entry with X-Bridge-Secret. With this plugin as the sole IdentityProvider, every authenticated principal came through our resolve path, so every row is forwarded — except rows whose principal_id isn't in the email cache (anonymous or pre-restart principals Runmesh can't bill). One POST per row; failures logged and dropped.
SupplierResolver Returns worker.namespace as the supplier id at dispatch time.

Environment variables

Var Required Default Notes
LUM_ID_BASE_URL no https://lum.id Identity provider base URL.
RUNMESH_BILLING_BASE_URL yes (for billing) e.g. https://kv.run:8000/Runmesh. Empty disables sink + guard.
FLOWMESH_BRIDGE_SECRET yes (for billing) Shared secret used as X-Bridge-Secret.
LUMID_BALANCE_GUARD no off on to enable preflight balance check.
LUMID_ORG_ID no lumid Stamped on the PrincipalContext.org_id returned by the IdentityProvider. Used by the SubmissionGuard to scope its check to lumid principals; the UsageSink ignores it (V2 task records don't preserve the PrincipalContext's org_id).

Loading

pip install lumid-flowmesh-plugin
export FLOWMESH_PLUGINS=lumid_flowmesh_plugin
export LUM_ID_BASE_URL=https://lum.id
export RUNMESH_BILLING_BASE_URL=https://kv.run:8000/Runmesh
export FLOWMESH_BRIDGE_SECRET=<shared-secret>
# start the FlowMesh server

Tests

uv sync --all-extras
uv run pytest

About

FlowMesh V2 plugin: lum.id identity, Runmesh billing, supplier attribution

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1.1 — UsageSink fix for V2 task record Latest
May 13, 2026

Packages

 
 
 

Contributors

Languages