Add experimental ASGI app entry point for advanced server configuration

[lukasmasuch]

Describe your changes

Add a new experimental App class that provides an ASGI-compatible entry point for Streamlit apps. This enables custom HTTP routes, middleware configuration, lifecycle hooks, and integration with popular Python web frameworks, aligning Streamlit with the broader async web ecosystem. See the spec for more details: #13449

The App instance is exposed via from streamlit.starlette import App but will likely be moved into the st namespace once we move this out of experimental.

This PR also includes the discovery logic for detecting if the main script contains an App call -> which triggers a special asgi execution mode.

GitHub Issue Link (if applicable)

• Spec: [spec] st.App - ASGI application entry point #13449
• [Coming soon] Support custom HTTP requests #439
• Allow streamlit apps to easily serve robots.txt at the root level #9673
• Widget to host folder as website (for preview) #6195
• Enhanced JavaScript File Serving in Streamlit #9090
• MCP server for streamlit #11333
• Custom 404 / Error Page / Maintenance Page that is displayed whenever a bug is pushed or the app encounters and issue on boot #8713
• Handling Security Headers in Streamlit #6417
• Allow configuring HTTP Security Headers #9160
• Ability to write cookies #861
• Support ip whitelist #8823
• [Coming soon] Provide way to run with the WSGI/ASGI protocols #4311
• Integration with Flask - render simple Streamlit component on Flask or Fast API #4567
• Enable Streamlit to run multiple applications on Django via Django Channels instead of Tornado #927
• add get_tornado_instance as an experimental API #8661
• Multiple Runtime instances #7546
• On session start/shutdown hooks #7688
• Tornado HTTPServer extra arguments #9916
• Add a user entrypoint executed on startup before page loding #8991
• Pre-cache on start-up #6108
• Shut down the session after closing the browser tab by the user #8545
• Allow user using setup script to interact with streamlit app out of Script runner #7667
• Allow specifying custom website metadata #5673
• Ability to embed metadata for SEO indexing with Google Search Console, Analytics or Tag Manager trackers #8999

Testing Plan

• Added unit tests.

---

Contribution License Agreement

By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.

[lukasmasuch]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no bugs!

[github-actions]

Summary

This PR introduces the experimental App class (streamlit.starlette.App), enabling Streamlit applications to run as standard ASGI apps. This allows for integration with uvicorn, custom middleware, and other ASGI frameworks like FastAPI. The PR also includes:

• AST-based discovery logic in the CLI (discover_asgi_app) to automatically detect and run st.App instances.
• A new starlette_routes module implementing Streamlit's core endpoints using Starlette.
• Refactoring of bootstrap.py to support the ASGI execution mode.
• Comprehensive unit tests and a basic E2E test.

Code Quality

The code quality is excellent.

• Modularity: The new App class is well-isolated and properly interacts with the existing Runtime. The separation between the App definition, route handling, and server logic is clear.
• Typing: Type hints are used consistently throughout the new files.
• Readability: The code is well-documented with docstrings explaining the purpose of the new classes and functions.
• Safety: The discover_asgi_app uses ast.parse instead of executing code, which is the correct and safe approach for static analysis.

Test Coverage

Test coverage is robust:

• Unit Tests: lib/tests/streamlit/web/server/starlette/starlette_app_test.py covers the App lifecycle, configuration, route validation, and integration with the TestClient. lib/tests/streamlit/web/server/app_discovery_test.py covers the AST parsing logic thoroughly, including edge cases.
• E2E Tests: e2e_playwright/asgi_app.py provides a smoke test ensuring the app runs without console errors in the browser.

Backwards Compatibility

The changes are backwards compatible:

• The new functionality is experimental and opt-in (via st.App).
• The standard streamlit run command continues to work as expected for existing scripts.
• The discover_asgi_app mechanism falls back to the traditional execution mode if no App instance is found.

Security & Risk

• XSRF & CORS: The new starlette_routes.py correctly implements XSRF protection and CORS header generation, mirroring the behavior of the Tornado implementation.
• Path Traversal: The component routes use build_safe_abspath to prevent directory traversal attacks.
• Input Validation: The App class validates user-provided routes to prevent conflicts with reserved Streamlit paths.

Recommendations

1. File Upload Memory Usage: In lib/streamlit/web/server/starlette/starlette_routes.py, the _upload_put handler reads the entire file content into memory (await upload.read()). While this matches the MemoryUploadedFileManager backend, ensure this aligns with the intended memory usage profile for the ASGI mode, especially for large file uploads (up to server.maxUploadSize).
2. Documentation: Since this is an experimental feature, ensure it is marked as such in the public documentation when released. The code docstrings already include appropriate warnings.

Verdict

APPROVED: The PR implements a significant new feature with high code quality, strong test coverage, and careful attention to existing patterns and security requirements.

[nicornk]

Nice work @lukasmasuch