AI-Cognitive-Leap/agnes-the-ai-analyst
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
agnes-the-ai-analyst/cli/lib/pull.py
ZdenekSrotyr 64cf78860d
feat(stack): unified Browse + My Stack for Data Packages and Memory (v49 schema) (#333) 
* feat(unified-stack): Browse + My Stack + Recipes + RBAC matrix (v49–v55)

Squash of 94 commits spanning the v49 → v55 unified-stack rewrite.
Full per-feature breakdown lives in CHANGELOG.md under [Unreleased].
Major buckets:

* v49 schema — first-class user_groups + user_group_members +
  resource_grants; admin can CRUD groups and grants; Google
  Workspace nightly sync writes into the new tables.
* v49 data_packages — admin-curated bundles of tables, RBAC-gated,
  first-class section on /catalog Browse + My Stack.
* v49 memory_domains — row-backed (replaces hardcoded VALID_DOMAINS
  enum); admin can CRUD; grants follow the same shape as tables and
  packages.
* v50 cover_image_url + admin sidebar collapsibles + per-row Mode
  tooltip + admin queue domain badges + admin "+ New Item" seed flow.
* v51 lifecycle status (prod/poc/coming-soon/draft) + category +
  palette swatches on admin modals.
* v52 per-table detail page /catalog/t/<id>.
* v53 Recipes — admin-curated SQL templates as a second tab on
  /catalog with full Edit/Delete admin affordances.
* v54 soft-delete (deleted_at) + Undo toast for packages, memory
  domains, and recipes; hard_delete() retained as escape hatch.
* v55 Recipes RBAC — ResourceType.RECIPE registered, inline Group
  Access matrix on Create + Edit Recipe modals (mirrors the Memory
  Domain pattern).
* Activity Center per-resource filter (resource_prefix LIKE-anchored
  on audit_log.resource); admin nav g+letter keyboard shortcuts;
  loadAdminTablesLayout N+1 → single endpoint; /api/memory 30s
  page-level cache.
* CI hardening — Keboola legacy tests pytest.importorskip; perf-
  smoke threshold widened to stop cold-cache flake.

5002 tests passing, 35 skipped.

* feat(p2 backlog): Cmd-K palette + suggest-a-domain + nightly E2E + v55 schema

10-item P2 sweep on top of the unified-stack squash. New behaviour:

* Cmd-K admin command palette (base.html) — fuzzy-search overlay over
  admin + user-facing routes. Arrows/Enter to navigate, Esc to close.
* Stack-tabs digit shortcuts — 1/2/3 switch Browse / My Stack /
  Recipes on /catalog + /corporate-memory.
* Friendlier non-admin empty state on /corporate-memory, plus a
  "Suggest a domain" CTA → POST /api/memory-domain-suggestions, admin
  queue with approve/reject. Backed by a new memory_domain_suggestions
  table (schema v55).
* /admin/corporate-memory 7-tab strip grouped under Moderation /
  Catalog parent labels.
* Bulk-assign table → package dropdown annotates each option with
  "(N of M tables already in)" so the existing distribution is visible
  before picking a target.
* GET /api/memory + /tree accept is_required filter; admin status
  dropdowns route the "Required" sentinel onto it (status no longer
  holds 'mandatory' post-v49, so the old dropdown returned nothing).
* chip-input.js is now opt-in per template via {% block extra_scripts %}
  instead of loaded globally on every page from base.html.
* Edit-modal close helpers consolidated onto _closeEditModalById();
  docs the per-source-type modal architecture decision.
* New .github/workflows/e2e-nightly.yml runs agent-browser smoke
  scripts (scripts/e2e/smoke_*.sh) against a docker-compose stack
  nightly at 04:30 UTC; failures open an agent-browser-nightly issue.

5012 tests passing, 35 skipped.

* fix(visual audit): 6 page regressions on memory + data-package surfaces

agent-browser walkthrough of every memory + data-package page in the PR
turned up 6 real bugs. Fixes:

1. Admin memory modals were dead. Duplicate `let _cmdNewDomainId`
   declarations from the deprecated step-2 RBAC stubs in
   admin_corporate_memory.html collided with the live state vars
   declared earlier in the same <script> → SyntaxError on parse →
   the entire second script block silently failed → every inline
   onclick= handler defined there (`+ New Memory Domain`, Edit, etc.)
   was a no-op. Removed the duplicate stubs.

2. /catalog/t/<table_id> + /catalog/r/<slug> rendered unstyled.
   Both templates injected their CSS via {% block head %} but
   base.html exposes {% block head_extra %} — wrong block name
   meant <style> rules never reached the rendered HTML. Renamed
   to head_extra. Hero card, section cards, dark SQL block, proper
   full-width inputs all now render as designed.

3. L49 leak — "MANDATORY" KPI label + "Make Mandatory" row buttons
   on /admin/corporate-memory still used the old word. Renamed to
   "Required" / "Mark as Required" so UI matches the data model
   (v49 split moved the Required tier onto the orthogonal
   is_required boolean; status no longer holds 'mandatory').

4. Activity Center Resource dropdown didn't know the v55
   `memory_domain_suggestion:` namespace — added it.

5. Tab strip on /admin/corporate-memory wrapped text 2× per button
   on narrow viewports after the L50 MODERATION/CATALOG group
   labels pushed total width past most viewports. Switched the
   strip to flex-wrap:nowrap + overflow-x:auto with
   white-space:nowrap + flex-shrink:0 on every direct child so the
   tabs stay one row and slide horizontally when they overflow.

5012 tests passing, 35 skipped.

* rebase-cleanup: align with main's 0.54.25-27 API design + comment fix

Three follow-on fixes after rebasing onto origin/main (0.54.27):

* admin_tables.html: dropped a stray nested ``{% if data_source_type
  == 'keboola' %}`` around ``prefillFromKeboolaTable`` (main never had
  it; the outer Phase F2 guard already covers it) and reworded a JS
  comment that contained literal ``{% %}`` tokens which Jinja was
  parsing as a real tag → unbalanced if/endif → 30 template render
  failures across the suite.
* /api/stack/subscription/{type}/{id}: DELETE now returns 204 instead
  of 200 per the 0.54.26 design rules. CLI client + parity tests
  updated to accept 2xx / assert 204.
* Memory-domain suggestion approve/reject paths added to
  ``_VERB_PATH_ALLOWLIST`` — they are pending → approved/rejected
  state-machine transitions (approve also creates the real
  memory_domains row as a side effect), so the RPC shape is
  intentional rather than a missed PATCH refactor.

5035 tests passing, 35 skipped.

* fix(catalog_table_detail): real polish pass — hero glyph, dedup pills, rows/size meta, scoped sync CTA

The previous fix only got the block-name typo so the existing CSS rendered.
The actual layout was still wireframe-tier on close inspection:

* No cover glyph in the hero (a flat white card with title + meta line);
  data-package + memory-domain detail pages both have a colored icon
  square. Restored parity — table.icon emoji if set, otherwise initials
  on a colored square using table.color.
* "INTERNAL" pill rendered twice for agnes_audit etc. — the mode pill
  and the source-type pill happened to be identical strings. Now skip
  the source pill when it matches the mode (`internal == internal`).
* Bucket / source_table code chip showed `Agnes Internal.audit_log` for
  internal rows — meaningless to a user. Hidden when source_type is
  internal.
* `pairs_well_with` admin input was a comma-separated `<input>` always
  visible. Wrapped all 4 sections in an Edit-on-demand toggle: read-
  only display by default, "+ Add" / "Edit" button on the right edge
  of each section header reveals the inline form, Cancel hides it.
* "Trigger sync now" was a cramped link squashed into the empty-state
  flex row (visible as `Tr…` overflow before). Promoted to a proper
  btn-primary button under the empty-state copy. Hidden entirely for
  internal tables (which are server-managed — no upstream to pull).
* Hero meta now surfaces row count + payload size (when sync_state has
  them) + last sync timestamp on a single line — was missing from the
  original.
* Mode pills colored by tier (local=green, remote=amber, materialized=
  blue, internal=gray) so the basic fact about a table reads at a
  glance, not from upper-cased ALL-CAPS text alone.

* tests(v56): TDD baseline for extended data-packages content + per-table docs

68 failing tests across 8 files spec the v56 surface before any
implementation lands:

* test_schema_v55_to_v56_migration.py — schema bump, additive ALTERs
  on data_packages + table_registry, idempotency, sequential-upgrade
  preservation
* test_data_packages_repo_v56.py — repo create/update/get/list for
  owner_name, owner_team, tags, long_description, when_to_use,
  when_not_to_use, example_questions (JSON list round-trip, empty
  defaults, partial-update preservation)
* test_table_registry_v56_docs.py — update_docs for grain, platforms,
  partition_col, history, gotchas; preserves v52 docs columns
* test_api_data_packages_v56.py — PUT/POST/GET for all new fields,
  field-level validation (tag count, bullet length, description size),
  virtual badge derivation (curated/new)
* test_api_registry_docs_v56.py — PATCH /api/admin/registry/{id}/docs
  for v56 fields, validation, RBAC unchanged
* test_web_catalog_package_detail_v56.py — /catalog/p/<slug> rewrite
  asserts on rendered owner line, tag pills, badges, What it is,
  Use it when, Skip it when, Example questions, per-table extended
  detail in collapsible row, key-gotcha distinctness, admin-only Edit
* test_web_stack_card_v56_metadata.py — Browse-grid card additions
  (owner chip, tag chips, badges) without breaking back-compat for
  rows missing the new fields
* test_data_packages_no_vendor_content.py — CI guard: scans app/ +
  src/ + cli/ + config/ + scripts/ for Groupon-specific tokens from
  the colleague's spec MD; fails if any leak into OSS surfaces
* test_db_schema_version.py — bumped 55 → 56 with rationale

Plus updates schema-version assertion to 56. Implementation lands in
subsequent commits (schema migration → repo → API → templates).

* feat(v56): schema + repo for extended data-packages content

Schema additions (ALTER ADD COLUMN IF NOT EXISTS — additive + idempotent):

* data_packages: owner_name, owner_team, tags, long_description,
  when_to_use, when_not_to_use, example_questions (JSON-as-VARCHAR for
  the lists)
* table_registry: grain, platforms, partition_col, history, gotchas
  (extends the v52 sample_questions / things_to_know / pairs_well_with
  docs surface with structured per-table content)

Repo extensions:

* DataPackagesRepository.create + update accept the new fields with
  the same Optional-is-no-op contract as v51 (pass an empty list to
  clear a JSON column)
* _decode_row decodes the new JSON-list columns to Python lists; NULL
  rounds back to [] so callers don't branch
* TableRegistryRepository.update_docs grew the v56 fields alongside
  the existing v52 ones — single PATCH can write either tier
  atomically
* TableRegistryRepository._decode_row picks up platforms + gotchas in
  the same NULL-tolerant decoder

22 repo + migration tests passing. API + UI land in subsequent commits.

* feat(v56): API surface for extended data-packages + per-table docs

CreateDataPackageRequest + UpdateDataPackageRequest grew the v56 fields
(owner_name, owner_team, tags, long_description, when_to_use,
when_not_to_use, example_questions) with per-field validators that
match the Foundry spec checklist:

  * tags: ≤8 entries × ≤30 chars
  * long_description: ≤4000 chars
  * use/skip: ≤8 bullets × ≤200 chars
  * example_questions: ≤12 × ≤200 chars

_serialize emits all v56 fields plus a virtual ``badges`` list derived
server-side at render time (no DB column needed): "curated" when the
creator is in the Admin group, "new" within 30 days of created_at.
Backdating created_at or admin-status changes pick up automatically.

PATCH /api/admin/registry/{id}/docs extended with v56 structured
per-table fields (grain, platforms, partition_col, history, gotchas).
gotchas: list of {key: bool, body: str} Pydantic models with the same
≤8 cap; first key=true entry becomes the Key gotcha on the rendered
package detail page. PATCH echoes the fresh state so callers can
re-render without a second GET.

26 API tests passing (16 data-packages + 10 registry-docs).

* feat(v56): /catalog/p/<slug> rewrite + Browse-grid card augmentation

The third (and final) v56 commit lights up the UI surfaces backed by
the schema + API commits earlier in this PR:

* /catalog/p/<slug> template rebuilt around the Foundry spec's
  section ladder — hero (icon + name + badges + owner + tags +
  description + meta + Add-to-stack), "What it is" markdown body,
  paired "Use it when / Skip it when" panels, "Tables in this
  package" with collapsible per-table extended detail (grain /
  platforms / partition_col / history / gotchas + sample questions),
  and an "Example questions you can ask Claude" prompt panel. Each
  section guarded by ``{% if pkg.<field> %}`` — empty content fields
  hide the section entirely (no "No X yet" placeholder noise on the
  public-facing drilldown).
* router catalog_package_detail hydrates per-table v56 fields onto
  the tables list + derives the virtual badges (curated / new)
  server-side from creator-in-Admin + 30-day created_at.
* StackResolver.ResourceEntry grew owner_name / owner_team / tags /
  badges; _fetch_entries pulls the v56 columns + computes badges
  once per fetch using a single Admin-group SELECT.
* _data_package_entry_dict adapter passes the new fields through to
  the macro; tags are merged source-type pills + admin-authored
  category tags per the spec convention.
* _stack_card.html renders the v56 badges (top-left, data-badge=
  hooks) + the owner chip (data-card-owner hook) without breaking
  back-compat — pre-v56 rows render unchanged.
* Admin PUT handler strips the v56 docs fields from the
  read-modify-write merged dict so register() doesn't blow up
  with the now-larger row shape (same pattern as the v52 docs
  fields stripping).

5115 tests passing (+98 v56 + 18 fixed regressions from the merged-
register PUT path), 35 skipped.

* fix(rbac): Edit-on-package + Group-access 'required' persistence + CI vendor guard

Three related bugs reported on the merged-with-main branch:

1. Clicking Edit on a Data Package card landed on /admin/tables with
   a `#<pkg.id>` hash that nothing listened to — admin saw the global
   table listing, not the editor for that specific package. Added a
   `?edit_package=<pkg_id>` query-param handler in admin_tables.html
   (analog to the existing `?edit=<table_id>` and `?assign_to=<pkg_id>`
   patterns) that calls openEditDataPackageModal on DOMContentLoaded
   after a 250ms layout settle. Updated the package-detail Edit link
   to use the new query param.

2. Setting Group Access to 'required' didn't persist — re-opening
   the modal showed 'available'. Root cause was the v49
   ``resource_grants.requirement`` enum existing in the DB but the
   POST /api/admin/grants endpoint not surfacing it: ``CreateGrantRequest``
   declared only group_id + resource_type + resource_id, so Pydantic
   silently dropped the matrix's ``requirement: 'required'`` payload
   and the new row landed at the DB column default ('available').
   Plumbed ``requirement`` through ``CreateGrantRequest`` →
   ``ResourceGrantsRepository.create`` so the value persists in one
   round-trip. Plus a UNIQUE-constraint race in the matrix
   diff-apply: DELETE-old + POST-new ran in parallel via
   ``Promise.allSettled``, so POST could fire first and trip the
   unique check before DELETE freed the slot. Switched to sequential
   (await all deletes; then await all writes) across all three
   matrices (Edit Data Package, Edit Memory Domain, Edit Recipe).

3. CI vendor-content guard ``test_no_groupon_specific_strings_in_oss``
   tripped on two of my own docstrings: a "Foundry Data team" mention
   in two src/db.py comments + an ``s1_session_landings`` example in
   cli/skills/agnes-table-registration.md. Rephrased the comments to
   "extended-descriptions admin spec" and replaced the example with
   a generic ``events_daily`` table name.

5164 tests passing, 35 skipped (+4 regression tests pinning the POST
/api/admin/grants requirement contract). Vendor guard back to green.

* fix(catalog): admin Browse path drops v58 card fields

The /catalog and /memory admin god-mode branch built ResourceEntry
instances inline from pkg_repo.list() / domains_repo.list() and skipped
owner_name, owner_team, tags, and derived badges (curated/new). Visible
symptom: a package with an owner + tags rendered with the v56 chrome
for non-admin viewers but as a bare card for admins.

Adds StackResolver.browse_admin(user_id, resource_type) — admin god-mode
Browse that walks the full table but routes through the same
_fetch_entries enrichment pass as browse(), so admin + non-admin Browse
stay visually consistent. Both /catalog and /corporate-memory routes
switch to it.

Regression test in tests/test_stack_resolver_browse_admin.py covers:
owner/tags propagation, new/curated badge derivation, in_stack from
admin subscriptions, all-packages-regardless-of-grants, and the
ValueError for unsupported resource types.

* fix(catalog): three /catalog tab-strip UX bugs

1. Required Remove → red toast
   browse_admin passed empty required_ids to _fetch_entries, so the
   admin's own required grants surfaced as 'available' and the macro
   rendered an actionable Remove button that POST /unsubscribe 400'd
   on. Now derives required_ids from the admin's own groups so
   Required packages render with the disabled "In stack (required)"
   button. Regression test in test_stack_resolver_browse_admin.py.

2. Remove green-toasts but card stays until refresh
   The My-Stack empty-state placeholder was only emitted server-side
   when stack_entries was empty at render time. Removing the last
   card left the tab completely blank — users read that as "Remove
   didn't work, let me refresh". Both grid + empty-state are now
   always rendered with one of them initially hidden; the JS swaps
   visibility on add/remove instead of injecting DOM. Same fix in
   /corporate-memory.

3. "What are Recipes?" + ambiguous (admin) suffix
   Recipes tab now carries its own curator-block explainer (the
   shared one was moved inside Browse view so it doesn't bleed
   across tabs). The grey "(admin)" suffix becomes a yellow
   .admin-only-hint chip with a title tooltip — visibility hint is
   now unambiguous: yellow chip = "only you see this", non-admins
   don't see the affordance at all.

* schema: renumber v51..v58 → v52..v59 to make room for main's v51

Main 0.54.29 introduced a NEW v51 (table_registry.bq_fqn — issue #343)
that releases ahead of this branch. The unified-stack chain v51..v58
shifts up by one so main's v51 stays as the released schema and ours
become v52..v59. Function names, internal version bumps, dispatch
ladder thresholds, and the migration-test references all move
together. Subsequent merge with main lands the bq_fqn column at the
freed v51 slot.

* fix(seed): seed admin lands in BOTH Admin AND Everyone groups

The LOCAL_DEV_MODE / SEED_ADMIN_EMAIL bootstrap only added the seed
user to Admin. Everyone-scoped grants — the canonical "every-user-
sees-this" pattern for Required onboarding — didn't surface for the
seed admin's own /catalog because they weren't in Everyone. Symptom:
admin grants a Required-tier package to Everyone, then sees it on
/catalog still rendered with an "Add to stack" button (because the
admin's resolved required_ids was empty for that package).

The dual-membership keeps Admin (authorization) and Everyone
(default-grant target) intentionally separate per the design comment
on UserRepository.create — every membership remains traceable to a
concrete row, just now with a system_seed row in Everyone too. Both
INSERTs go through UserGroupMembersRepository.add_member which is
idempotent on (user_id, group_id), so re-fires on every lifespan
startup don't duplicate rows.

Regression test in test_main_seed_admin_everyone.py.

* style: unify admin-only hints across marketplace + memory detail pages

Replaces three stale ``(admin)`` parentheticals with the same yellow
``admin-only`` chip introduced for /catalog tab actions. Same tooltip
copy ("Visible only to admins — analysts won't see this …") so the
visibility hint is unmistakable wherever it appears:

- Hard delete on marketplace_plugin_detail (admin-only destructive
  action — same gating as the original suffix conveyed).
- Hard delete on marketplace_item_detail (same).
- Edit link on memory_domain_detail (title-attr only before; now a
  visible chip too).

Non-admin viewers never saw these affordances — the gates are
unchanged. Pure styling pass for consistency.

* fix(catalog): exclude soft-deleted data packages + memory domains from Browse

``StackResolver._fetch_entries`` and ``browse_admin`` were querying
data_packages / memory_domains without a ``deleted_at IS NULL`` guard.
A package soft-deleted via /admin/* (v54 soft-delete contract) stayed
visible on /catalog and /memory until either an Undo or a hard delete
— directly contradicting the soft-delete UX which is supposed to
remove the affordance immediately and only retain the row for the
Undo window.

The repository accessors (DataPackagesRepository.list,
MemoryDomainsRepository.list, list_packages_of_table, etc.) already
filter deleted rows; this commit brings the resolver's direct SQL in
line with that contract.

Regression test in test_stack_resolver_browse_admin.py.

* fix(catalog): Add/Remove updates full card chrome, not just button

The previous _applyStackChange flipped only the footer button label —
the card border (.is-in-stack class), top-right "In stack" badge, and
button color class (--add / --remove) stayed at their server-rendered
state. After Add the user saw the button checkmark but the rest of
the card still looked like "available, not in stack". They read this
as "the change didn't take — let me refresh".

This commit makes the optimistic update mirror what the server-side
macro renders for the new state:

* ``c.classList.toggle('is-in-stack', becameInStack)`` — flips the
  border + visual state class.
* Top-right ``.stack-card__req-badge--instack`` badge is injected on
  Add, removed on Remove (skipped when ``data-requirement='required'``
  — that slot is owned by the Required badge).
* Button text is "Remove" / "+ Add to stack" matching the macro
  (was "✓ In stack" which was visually nice but inconsistent).
* Button color class --add / --remove swaps so the destructive Remove
  tint kicks in immediately.

The clone-into-My-Stack path applies the same updates so the new card
in My Stack reads identically to a server-rendered in_stack card.
Mirrored in /corporate-memory.

* fix(memory): four Devin-review bugs on /memory drill-down + manifest

PR #333 Devin review surfaced four real bugs that ship a broken
/memory experience even though the unit tests passed.

1. Manifest md5 omits is_required + content (app/api/sync.py:836-840)
   _build_memory_domains_section hashed only (id|title|status) per
   item. _build_per_domain_markdown routes items between "## Required"
   and "## Approved" by is_required and embeds full content — so an
   admin edit of either dimension left the manifest md5 unchanged,
   `agnes pull` skipped the re-fetch, and the analyst kept a stale
   bundle.md. Now both fields participate in the hash.

2. required_count always 0 (src/repositories/memory_domains.py)
   list_items_of_domain only SELECTed (id, title, status) so the
   `it.get("is_required")` in the manifest builder always evaluated
   to None → required_count = 0 regardless of actual state. The
   manifest builder advertised a count it could never compute. Now
   projects is_required + content too (required by fix 1 anyway).

3. Vote URL 404 (memory_domain_detail.html:289-290)
   Constructed `/api/memory/items/{id}/vote` but the route is
   `/api/memory/{id}/vote`. Every upvote/downvote button was a
   silent no-op.

4. Dismiss/undismiss URL + method both wrong (memory_domain_detail.html:296-305)
   Constructed `/api/memory/items/{id}/dismiss` (extra /items/) and
   /undismiss (no such route — undismiss is DELETE on /dismiss).
   Both buttons silently 404'd. Now POST + DELETE on
   `/api/memory/{id}/dismiss` per app/api/memory.py:635/675.

* fix: multi-agent reviewer findings — vendor-token scrubs + manifest md5 predicate + soft-delete filter

Three reviewer findings from the multi-agent review on PR #333,
fixed in-place per CLAUDE.md issue-economy rule.

Reviewer-rules (Important — vendor-agnostic OSS):
- app/main.py:218 comment: replaced 'foundryai-prod' with generic
  'a customer prod instance' phrasing. Public OSS repo must not
  carry customer-specific tokens (CLAUDE.md § Project conventions).
- tests/test_table_registry_v56_docs.py:70 fixture string:
  replaced "user_brand_affiliation = 'groupon'" with 'acme' on
  the same rule.

Reviewer-architecture (closes still-unresolved Devin 🚩 ANALYSIS):
- app/api/sync.py _build_memory_domains_section: md5 hash loop now
  filters items to the SAME predicate the bundle renderer uses
  (is_required OR status='approved'). Pre-fix the hash iterated ALL
  items but _build_per_domain_markdown only rendered the union of
  required items + approved-non-required items — so an admin edit
  to a pending/rejected non-required item flipped the md5 against
  an identical-bytes bundle, triggering a wasteful re-fetch on
  every analyst's next 'agnes pull'. The earlier commit fixed the
  hash-input fields (is_required + content); this closes the
  set-of-items asymmetry Devin separately flagged.

Reviewer-RBAC (minor cleanup):
- app/resource_types.py _data_package_blocks and _memory_domain_blocks
  now filter 'WHERE deleted_at IS NULL' (v54 soft-delete column) so
  the /admin/access UI doesn't surface soft-deleted entities as
  grantable. Mirrors the existing filter on _recipe_blocks. No
  security leak pre-fix (resolver double-filters and re-checks at
  serve time), just UI cleanliness.
- app/services/stack_resolver.py add_to_stack: docstring note
  added explaining that authorization is enforced at the API layer
  (app/api/stack.py can_access gate), not at the resolver. The
  initial review suggested adding a defensive 403 here, but that
  broke 5 existing tests that legitimately call add_to_stack
  directly without setting up grants first; the docstring captures
  the contract instead. stack() already intersects subscriptions
  with current available_ids on every read, so a 'zombie' row from
  a misuse never leaks into the user-facing manifest.

* release: 0.55.0 — unified Browse + My Stack (Data Packages + Memory), schema v48→v59, 3 BREAKING
2026-05-19 15:00:15 +02:00

809 lines
33 KiB
Python
Raw Blame History

"""`run_pull` — pure data-refresh primitive lifted from `cli/commands/sync.py`.
Pulls the RBAC-filtered manifest from the server, downloads parquets whose
MD5 hash differs from local state, rebuilds DuckDB views, and syncs the
corporate memory bundle to `<workspace>/.claude/rules/km_*.md`.
Contract — Task 8:
- Pure function: no Typer, no stdout, no `sys.exit`. Caller decides what to print.
- Returns a `PullResult` dataclass.
- `dry_run=True` -> no disk writes anywhere (no DB file, no parquet dir,
no rules dir, no sync_state).
- Lazy mkdir: `server/parquet/` is created inside the per-table loop on
first write; `.claude/rules/` is only created when the bundle has at
least one mandatory item or non-empty approved list. Empty inputs leave
the workspace tree alone.
- The DuckDB file at `<workspace>/user/duckdb/analytics.duckdb` is the
load-bearing artifact for every downstream reader (CLI query, hooks),
so it gets created even with zero parquets.
The api_get/stream_download helpers in `cli/client.py` read server URL and
token from `cli.config` (via the `AGNES_SERVER` and `AGNES_TOKEN` env
overrides). To keep `run_pull` callable with explicit `server_url` /
`token` arguments without rewriting the HTTP layer, this module sets those
env vars for the duration of the call and restores the prior values on
exit. That's the cheapest adapter that doesn't bleed into client.py.
"""
from __future__ import annotations
import hashlib
import os
import re
import time
from contextlib import contextmanager
from dataclasses import dataclass, field
from datetime import datetime, timezone
from pathlib import Path
from typing import Iterator
from cli.client import api_get, api_post, stream_download
from cli.config import get_sync_state, save_sync_state
@dataclass
class PullResult:
"""Outcome of a `run_pull` invocation.
Fields:
- `tables_updated`: count of parquets actually re-downloaded this run.
- `parquets_total`: count of non-remote tables visible in the manifest.
- `rules_count`: number of `km_*.md` files written to `.claude/rules/`.
- `duration_s`: wall time of the call.
- `errors`: list of `{"table": ..., "error": ...}` (or
`{"stage": "memory_bundle", "error": ...}`) — best-effort flow,
individual failures don't abort the whole pull.
"""
tables_updated: int = 0
parquets_total: int = 0
rules_count: int = 0
duration_s: float = 0.0
errors: list[dict] = field(default_factory=list)
# v49 (Phase 7, Task 7.5) — per-type stack-sync result. Populated when
# the manifest carries any of ``direct_tables`` / ``data_packages`` /
# ``memory_domains``. Kept off the constructor signature (None default)
# so older callers reading ``tables_updated`` keep compiling.
stack_sync: object = None
_SAFE_ID_RE = re.compile(r"^[a-zA-Z0-9_\-]{1,128}$")
def _read_progress_interval_seconds() -> float:
"""Seconds between forced progress emissions per file. Default 5 s.
Tighter cadence than the original 30 s default keeps non-TTY consumers
(Claude Code sub-agent watchdogs, CI runners) from killing the process
on apparent silence during a slow chunk. Override via
`AGNES_PULL_PROGRESS_INTERVAL_SECONDS`. Issue #203.
"""
raw = os.environ.get("AGNES_PULL_PROGRESS_INTERVAL_SECONDS", "")
if raw:
try:
v = float(raw)
if v > 0:
return v
except ValueError:
pass
return 5.0
def _read_progress_interval_bytes() -> int:
"""Bytes between forced progress emissions per file. Default 1 MiB.
Complements the time-based cadence so fast downloads also emit at a
reasonable rate (the original "every 10% of total" boundary went
unobserved on multi-GB parquets where 10% is tens of seconds of bytes).
Override via `AGNES_PULL_PROGRESS_INTERVAL_BYTES`. Issue #203.
"""
raw = os.environ.get("AGNES_PULL_PROGRESS_INTERVAL_BYTES", "")
if raw:
try:
v = int(raw)
if v > 0:
return v
except ValueError:
pass
return 1024 * 1024
class _TextualProgress:
"""Plain-text progress emitter for non-TTY stderr.
When `agnes pull` is invoked from a Claude Code SessionStart hook,
a CI runner, or any pipe consumer, stderr is not a terminal. Rich's
progress bar in that mode either suppresses output (silent for
minutes on a multi-GB parquet) or emits raw ANSI noise. This class
instead emits one terse line per file at sensible cadence.
Cadence policy: emit when *any* of:
- per-file bytes-downloaded crosses a 10%-of-total boundary, OR
- more than ``AGNES_PULL_PROGRESS_INTERVAL_BYTES`` bytes (default
1 MiB) since this file's last emission, OR
- more than ``AGNES_PULL_PROGRESS_INTERVAL_SECONDS`` (default 5 s)
since this file's last emission.
The byte+second floor exists because sub-agent / CI watchdogs read
"no output for N seconds" as a hung process and kill it (issue #203);
the original 30 s / 10% policy was silent enough to trip those gates
on slow links.
Always emits one final "done" line per file via `finish()` so the
operator sees a confirmed completion even on tiny files.
Format: `[N/T files] <tid>: 25% (16 MB / 66 MB) at 1.5 MB/s` — the
"[N/T files]" prefix lets the operator see overall pull progress
in a multi-table run without buffering all per-file lines.
Thread-safe — `advance` is called from the chunked-download worker
threads; an internal lock serializes the update + emit.
"""
_HUMAN_UNITS = (
(1024 * 1024 * 1024 * 1024, "TB"),
(1024 * 1024 * 1024, "GB"),
(1024 * 1024, "MB"),
(1024, "KB"),
)
def __init__(self, *, stream, total_files: int, file_sizes: dict[str, int]):
import threading
self._stream = stream
self._total_files = total_files
self._file_sizes = file_sizes
self._lock = threading.Lock()
self._interval_seconds = _read_progress_interval_seconds()
self._interval_bytes = _read_progress_interval_bytes()
# Per-file state.
self._bytes: dict[str, int] = {tid: 0 for tid in file_sizes}
self._started_at: dict[str, float] = {}
self._last_emit_at: dict[str, float] = {}
self._last_emit_pct: dict[str, int] = {}
self._last_emit_bytes: dict[str, int] = {}
self._finished_idx: int = 0 # files whose `finish` line has been emitted
def advance(self, tid: str, n: int) -> None:
"""Add `n` bytes to the file's total. Emit a textual update if
the cadence policy allows."""
with self._lock:
now = time.monotonic()
if tid not in self._started_at:
self._started_at[tid] = now
self._last_emit_at[tid] = now
self._last_emit_pct[tid] = 0
self._last_emit_bytes[tid] = 0
self._bytes[tid] = self._bytes.get(tid, 0) + n
total = self._file_sizes.get(tid, 0)
current = self._bytes[tid]
pct = int((current * 100) / total) if total > 0 else 0
elapsed = now - self._last_emit_at[tid]
bytes_since_emit = current - self._last_emit_bytes.get(tid, 0)
crossed_10 = pct >= self._last_emit_pct[tid] + 10
if (
crossed_10
or elapsed >= self._interval_seconds
or bytes_since_emit >= self._interval_bytes
):
self._last_emit_at[tid] = now
self._last_emit_pct[tid] = pct - (pct % 10)
self._last_emit_bytes[tid] = current
self._emit_line(tid, current, total, now)
def finish(self) -> None:
"""Emit a final `done` line for any file we never closed out."""
with self._lock:
now = time.monotonic()
for tid, total in self._file_sizes.items():
# Treat any file we observed bytes for as needing a
# final line. Files that errored out before any callback
# are still announced (operator wants visibility even on
# zero-byte attempts).
self._finished_idx += 1
bytes_ = self._bytes.get(tid, 0)
started = self._started_at.get(tid, now)
duration = max(0.001, now - started)
rate = bytes_ / duration
line = (
f"[{self._finished_idx}/{self._total_files} files] "
f"{tid}: 100% done "
f"({self._fmt_bytes(bytes_)} in {duration:.1f}s, "
f"{self._fmt_bytes(int(rate))}/s)\n"
)
self._stream.write(line)
try:
self._stream.flush()
except Exception:
pass
def _emit_line(self, tid: str, current: int, total: int, now: float) -> None:
started = self._started_at.get(tid, now)
duration = max(0.001, now - started)
rate = current / duration
if total > 0:
# Clamp displayed percentage to [0, 100]. When `current`
# exceeds the advertised `total` (range/chunked transfer
# over-counts, manifest size is compressed vs response is
# decompressed, server retransmits a chunk, etc.) the raw
# percentage would creep past 100% and snap back at
# `finish()`, which surfaced in 2026-05-12 sub-agent perf
# tests as confusing "174%" lines. Issue #258.
raw_pct = int((current * 100) / total)
pct_display = min(raw_pct, 100)
pct_str = f"{pct_display}%"
size_str = (
f"({self._fmt_bytes(current)} / {self._fmt_bytes(total)})"
)
else:
pct_str = "?"
size_str = f"({self._fmt_bytes(current)})"
idx = self._finished_idx + 1 # 1-based "currently working on file N"
line = (
f"[{idx}/{self._total_files} files] {tid}: {pct_str} "
f"{size_str} at {self._fmt_bytes(int(rate))}/s\n"
)
self._stream.write(line)
try:
self._stream.flush()
except Exception:
pass
@classmethod
def _fmt_bytes(cls, n: int) -> str:
for divisor, suffix in cls._HUMAN_UNITS:
if n >= divisor:
return f"{n / divisor:.1f} {suffix}"
return f"{n} B"
@contextmanager
def _override_server_env(server_url: str, token: str) -> Iterator[None]:
"""Set AGNES_SERVER + scoped token override for the duration of the call.
`cli.config.get_server_url` honors `AGNES_SERVER`, so the server URL is
swapped via env-var. The TOKEN override is routed through
`cli.config._with_token_override` (a ContextVar), which is checked by
`get_token()` BEFORE the on-disk `~/.config/agnes/token.json`. This is
load-bearing: `agnes init --token NEW` runs the verify call in step 2
while the file still holds an OLD token from a prior install — without
the override, the verify uses the stale on-disk token and fails 401.
`AGNES_TOKEN` env var is also set as a back-compat hint for any code
path that bypasses `get_token()` (none in `cli/` at last audit, but
third-party hooks may), but the contextvar is the authoritative source.
Restores prior values on exit so the caller's environment isn't
mutated permanently. Not safe for concurrent invocation across threads;
single-threaded use only.
"""
from cli.config import _with_token_override
prev_server = os.environ.get("AGNES_SERVER")
prev_token = os.environ.get("AGNES_TOKEN")
os.environ["AGNES_SERVER"] = server_url
if token:
os.environ["AGNES_TOKEN"] = token
try:
with _with_token_override(token):
yield
finally:
if prev_server is None:
os.environ.pop("AGNES_SERVER", None)
else:
os.environ["AGNES_SERVER"] = prev_server
if prev_token is None:
os.environ.pop("AGNES_TOKEN", None)
else:
os.environ["AGNES_TOKEN"] = prev_token
def run_pull(
server_url: str,
token: str,
workspace: Path,
*,
dry_run: bool = False,
skip_materialize: bool = False,
show_progress: bool = False,
) -> PullResult:
"""Refresh local parquets + corporate memory rules from the server.
Mirrors the `_sync_quiet` flow in `cli/commands/sync.py`, minus all
Typer/Rich UI. Returns a `PullResult` summary; never raises for
network/server errors (records them under `errors` instead) so the
caller can decide whether a partial pull is fatal.
Args:
skip_materialize: When True, omit `query_mode='materialized'`
tables from the download set. Use for analysts who only
care about `--remote` access on the workspace and don't
want to wait on multi-GB scheduled-query parquets at first
init. Pavel's #185 Phase 1: a 6.3 GB `order_economics`
parquet kept first init silent for 44 minutes.
show_progress: When True, render a per-file progress bar to
stderr via Rich during the parallel download phase. Pass
False from `--quiet` callers (SessionStart hooks).
"""
started = time.monotonic()
result = PullResult()
workspace = Path(workspace)
with _override_server_env(server_url, token):
# 1. Fetch manifest. A failure here means we can't tell what to
# download at all — record the error and bail out empty-handed.
try:
resp = api_get("/api/sync/manifest")
resp.raise_for_status()
manifest = resp.json()
except Exception as exc:
result.errors.append({"stage": "manifest", "error": str(exc)})
result.duration_s = time.monotonic() - started
return result
server_tables = manifest.get("tables", {}) or {}
local_state = get_sync_state()
local_tables = local_state.get("tables", {})
# 2. Compute the download set, skipping remote-mode tables (no
# parquet on the server) and unchanged hashes.
#
# The parquet-existence check is load-bearing: a stale `sync_state.json`
# entry (hash matches server) is NOT proof the file is on disk. The
# file can disappear between runs — manual rm, disk corruption, an
# operator nuking `server/parquet/` during cleanup, a different
# workspace sharing the same `~/.config/agnes/sync_state.json`
# (TODO(workspace-scoped-sync-state) below) writing one workspace's
# parquets while another reads sync_state and assumes "I already
# have these." Without the existence guard, `agnes pull` would skip
# the download and the downstream DuckDB view rebuild fails on a
# missing file. Hash-equal-but-file-missing → force re-download.
to_download: list[str] = []
non_remote_total = 0
parquet_dir = workspace / "server" / "parquet"
for tid, info in server_tables.items():
if info.get("query_mode") == "remote":
continue
if skip_materialize and info.get("query_mode") == "materialized":
# Operator opt-out for first-init. Materialized rows are
# still discoverable via `agnes catalog` and queryable
# the next time `agnes pull` runs without --skip-materialize.
continue
non_remote_total += 1
local_hash = local_tables.get(tid, {}).get("hash", "")
server_hash = info.get("hash", "")
target = parquet_dir / f"{tid}.parquet"
if (
server_hash != local_hash
or tid not in local_tables
or not server_hash
or not target.exists()
):
to_download.append(tid)
result.parquets_total = non_remote_total
# 3. Dry-run short-circuit — touch nothing on disk.
if dry_run:
result.tables_updated = 0 # by definition no writes happened
result.duration_s = time.monotonic() - started
return result
# 4. Download parquets in parallel. Lazy mkdir: only create
# server/parquet/ when we have at least one table to write into it.
# Concurrency capped by `AGNES_PULL_PARALLELISM` (default 4) so a
# registry of 50+ tables doesn't open 50+ TCP connections + saturate
# the analyst's NIC; 4 matches typical home-broadband saturation
# without over-subscribing the server's caddy file_server (each
# request is a separate goroutine + sendfile, but the analyst's
# downlink is the more frequent bottleneck). Set to 1 to restore
# the pre-PR serial behavior for debug repro. The server-side
# bypass-uvicorn fix (Caddy file_server) is the other half —
# without it, parallel downloads would still queue on the single
# uvicorn worker.
if to_download and not parquet_dir.exists():
parquet_dir.mkdir(parents=True, exist_ok=True)
try:
workers = max(1, int(os.environ.get("AGNES_PULL_PARALLELISM", "4")))
except ValueError:
workers = 4
# Drop to serial when there's only one (or zero) tables — avoids
# the executor + thread overhead for the common single-update case.
workers = min(workers, len(to_download)) if to_download else 1
# Optional progress reporting — two paths.
#
# 1. Rich progress bar: per-file bytes-streamed bar with speed +
# ETA. Rendered to stderr when stderr is a TTY. Aggregates
# across the parallel ThreadPoolExecutor workers and across
# chunked-download chunks (all chunks call the same callback
# advancing the same task).
# 2. Textual fallback: when `show_progress=True` but stderr is
# NOT a TTY (Claude Code SessionStart hook, CI run, Docker
# log capture), Rich would either suppress the bar or emit
# raw control sequences. Instead we emit one plain-text line
# per file at most every 10% or 30 s — enough signal to know
# the pull isn't frozen on a multi-GB parquet, terse enough
# not to spam the consumer's log.
#
# Both paths receive the same per-file callback so the chunked-
# download contract ("one file = one task, sum-of-chunks bytes")
# is honored uniformly.
import sys as _sys
progress = None
progress_tasks: dict[str, int] = {}
textual = None
use_textual_fallback = (
show_progress
and to_download
and not _sys.stderr.isatty()
)
if show_progress and to_download and not use_textual_fallback:
from rich.progress import (
Progress, BarColumn, DownloadColumn, TextColumn,
TimeRemainingColumn, TransferSpeedColumn,
)
progress = Progress(
TextColumn("[bold]{task.fields[label]}[/]"),
BarColumn(),
DownloadColumn(),
TransferSpeedColumn(),
TimeRemainingColumn(),
transient=False,
)
progress.start()
for tid in to_download:
size = int(server_tables[tid].get("size_bytes") or 0)
# Some manifest entries don't carry size — Rich shows
# an indeterminate bar in that case.
progress_tasks[tid] = progress.add_task(
"download", label=tid, total=size if size > 0 else None,
)
elif use_textual_fallback:
textual = _TextualProgress(
stream=_sys.stderr,
total_files=len(to_download),
file_sizes={
tid: int(server_tables[tid].get("size_bytes") or 0)
for tid in to_download
},
)
def _download_one(tid: str) -> tuple[str, dict | None, str | None]:
"""Returns (tid, local_table_entry_or_None, error_or_None).
One bound thread per call; stream_download is sync I/O so a
ThreadPoolExecutor (not asyncio) is the right tool. The
progress callback is thread-safe — Rich's Progress.update
and the textual fallback's lock both serialize internally."""
target = parquet_dir / f"{tid}.parquet"
expected_hash = server_tables[tid].get("hash", "")
cb = None
if progress is not None and tid in progress_tasks:
task_id = progress_tasks[tid]
def cb(n: int, _tid=tid, _task=task_id):
progress.update(_task, advance=n)
elif textual is not None:
def cb(n: int, _tid=tid):
textual.advance(_tid, n)
try:
stream_download(f"/api/data/{tid}/download", str(target),
progress_callback=cb)
if expected_hash:
actual_hash = _file_md5(target)
if actual_hash != expected_hash:
target.unlink(missing_ok=True)
raise ValueError(
f"hash mismatch: expected {expected_hash[:12]}, got {actual_hash[:12]}"
)
elif not _is_valid_parquet(target):
target.unlink(missing_ok=True)
raise ValueError("not a valid parquet (missing PAR1 magic)")
entry = {
"hash": expected_hash,
"rows": server_tables[tid].get("rows", 0),
"size_bytes": server_tables[tid].get("size_bytes", 0),
}
return tid, entry, None
except Exception as exc:
return tid, None, str(exc)
try:
if workers <= 1:
outcomes = [_download_one(tid) for tid in to_download]
else:
from concurrent.futures import ThreadPoolExecutor
with ThreadPoolExecutor(max_workers=workers) as ex:
outcomes = list(ex.map(_download_one, to_download))
finally:
if progress is not None:
progress.stop()
if textual is not None:
textual.finish()
for tid, entry, err in outcomes:
if err is not None:
result.errors.append({"table": tid, "error": err})
else:
local_tables[tid] = entry
result.tables_updated += 1
# 5. Persist sync state (only on real runs).
# TODO(workspace-scoped-sync-state): currently saved to
# ~/.config/agnes/sync_state.json (per legacy sync.py behavior).
# Two workspaces sharing one user account share this state.
# Future: scope to <workspace>/.agnes/sync_state.json so workspace
# bootstrap leaves no residue outside <workspace>/.
local_state["tables"] = local_tables
local_state["last_sync"] = datetime.now(timezone.utc).isoformat()
save_sync_state(local_state)
# 6. Rebuild DuckDB views — unconditional. The DB file is the
# load-bearing artifact for downstream readers.
_rebuild_duckdb_views(workspace, parquet_dir)
# 7. Fetch corporate-memory bundle and lazily write
# `.claude/rules/km_*.md`. Best-effort: a server outage on this
# endpoint must not fail the whole pull.
try:
written = _fetch_and_write_rules(workspace)
result.rules_count = written
except Exception as exc:
result.errors.append({"stage": "memory_bundle", "error": str(exc)})
# 8. v49 stack sync — per-type loop into ``~/.claude/data/`` and
# ``~/.claude/memory/`` with reference-counted dedup. Runs only
# when the manifest carries the v49 fields (older servers /
# backward-compat workspaces are untouched). Best-effort:
# failure here records under ``result.errors`` but doesn't abort
# the rest of the pull.
if any(
k in manifest for k in ("direct_tables", "data_packages", "memory_domains")
):
try:
result.stack_sync = _run_stack_sync_from_manifest(manifest, workspace)
except Exception as exc:
result.errors.append({"stage": "stack_sync", "error": str(exc)})
result.duration_s = time.monotonic() - started
# 9. Pull-confirm telemetry — fire-and-forget POST so the server can
# close the loop on the ``sync.pull_started`` event from Phase 6.
try:
_emit_pull_confirm(server_url, token, result)
except Exception:
pass
return result
def _run_stack_sync_from_manifest(manifest: dict, workspace: Path):
"""Build a ``pull_sync.PullStackOptions`` from the manifest payload
and invoke ``run_stack_sync``. The local sync root is the
``<workspace>/.claude/`` dir so the stack-sync artifacts live next
to the existing ``<workspace>/.claude/rules/`` / ``<workspace>/.claude/
settings.json`` tree (workspace-scoped, not user-home, matching
Section 5.3 of the spec for analyst workspaces)."""
from cli.lib.pull_sync import PullStackOptions, run_stack_sync
local_root = workspace / ".claude"
def _fetcher(url: str, target: Path) -> None:
stream_download(url, str(target))
def _bundle_fetcher(slug: str) -> bytes:
resp = api_get("/api/memory/bundle", params={"domain": slug})
resp.raise_for_status()
return resp.content
opts = PullStackOptions(
manifest=manifest,
local_dir=local_root,
fetcher=_fetcher,
md5_of=_file_md5,
bundle_fetcher=_bundle_fetcher,
)
return run_stack_sync(opts)
def _emit_pull_confirm(server_url: str, token: str, result: "PullResult") -> None:
"""POST /api/sync/pull-confirm with the per-type aggregate counts.
Fire-and-forget — the parent already swallows exceptions but the
helper has its own ``try/except`` so a 404 (older server without
the endpoint) is silent rather than logged as a warning."""
stack = result.stack_sync
direct = getattr(stack, "direct_tables", None) if stack else None
dp = getattr(stack, "data_packages", None) if stack else None
md = getattr(stack, "memory_domains", None) if stack else None
payload = {
"duration_ms": int(result.duration_s * 1000),
"direct_tables": {
"added": getattr(direct, "added", 0),
"updated": getattr(direct, "updated", 0),
"removed": getattr(direct, "removed", 0),
},
"data_packages": {
"added": getattr(dp, "added", 0),
"updated": getattr(dp, "updated", 0),
"removed": getattr(dp, "removed", 0),
},
"memory_domains": {
"added": getattr(md, "added", 0),
"updated": getattr(md, "updated", 0),
"removed": getattr(md, "removed", 0),
},
"errors": len(result.errors),
}
try:
api_post("/api/sync/pull-confirm", json=payload)
except Exception:
# Endpoint may not exist on older servers; silent skip.
pass
# ---------------------------------------------------------------------------
# Helpers — copied verbatim from cli/commands/sync.py with the lazy-mkdir
# fix in `_fetch_and_write_rules`. Task 18 deletes sync.py; until then the
# two copies coexist (no behavior drift, copy not move).
# ---------------------------------------------------------------------------
def _file_md5(path: Path) -> str:
"""MD5 of a file, same chunking as app/api/sync.py:_file_hash so the
client-side verification matches the manifest hash byte-for-byte."""
h = hashlib.md5()
with open(path, "rb") as f:
for chunk in iter(lambda: f.read(8192), b""):
h.update(chunk)
return h.hexdigest()
def _is_valid_parquet(path: Path) -> bool:
"""Cheap structural check — parquet files begin and end with `PAR1`.
Used as a fallback when the manifest has no hash (legacy snapshots) and
during view rebuild to skip obviously-broken files. Does not guarantee
the footer is well-formed — that's DuckDB's job at CREATE VIEW time.
"""
try:
size = path.stat().st_size
if size < 8:
return False
with open(path, "rb") as f:
head = f.read(4)
f.seek(-4, 2)
tail = f.read(4)
return head == b"PAR1" and tail == b"PAR1"
except OSError:
return False
def _rebuild_duckdb_views(workspace: Path, parquet_dir: Path) -> None:
"""Recreate DuckDB views from downloaded parquets. Preserve user tables.
The DuckDB file at `<workspace>/user/duckdb/analytics.duckdb` is
created unconditionally (even on an empty pull) — downstream readers
expect the file to exist. The parquet rebuild loop is a no-op when
`parquet_dir` is missing.
"""
import duckdb
db_path = workspace / "user" / "duckdb" / "analytics.duckdb"
db_path.parent.mkdir(parents=True, exist_ok=True)
conn = duckdb.connect(str(db_path))
try:
# Existing user-created BASE TABLEs we must not shadow with views.
try:
existing_tables = {
row[0] for row in conn.execute(
"SELECT table_name FROM information_schema.tables "
"WHERE table_type='BASE TABLE'"
).fetchall()
}
except Exception:
existing_tables = set()
# Drop all current views so the rebuild is from a clean slate.
try:
views = conn.execute(
"SELECT table_name FROM information_schema.tables WHERE table_type='VIEW'"
).fetchall()
for (view_name,) in views:
conn.execute(f'DROP VIEW IF EXISTS "{view_name}"')
except Exception:
pass
# Recreate views for each parquet file. One broken file (corrupt
# download, partial write left over from a previous run, ...) must
# not abort the whole rebuild — skip and keep going.
if parquet_dir.exists():
for pq_file in parquet_dir.rglob("*.parquet"):
view_name = pq_file.stem
if view_name in existing_tables:
continue
if not _is_valid_parquet(pq_file):
continue
abs_path = str(pq_file.resolve())
try:
conn.execute(
f'CREATE VIEW "{view_name}" AS '
f"SELECT * FROM read_parquet('{abs_path}')"
)
except duckdb.Error:
continue
finally:
conn.close()
def _item_to_md(item: dict) -> str:
"""Render a knowledge item as a Markdown rule file."""
lines = [f"# {item.get('title', 'Untitled')}"]
if item.get("domain"):
lines.append(f"_Domain: {item['domain']}_")
if item.get("category"):
lines.append(f"_Category: {item['category']}_")
lines.append("")
lines.append(item.get("content", ""))
return "\n".join(lines)
def _fetch_and_write_rules(workspace: Path) -> int:
"""Fetch /api/memory/bundle and write `.claude/rules/km_*.md` files.
Returns the count of rule files actually written.
Lazy mkdir contract — Task 8 fix vs. legacy `cli/commands/sync.py`:
the rules directory is created only when the bundle has at least one
mandatory item or a non-empty approved list. An empty bundle leaves
the workspace untouched (no `.claude/rules/` shell, no `km_approved.md`
cleanup attempt against a directory that doesn't exist).
The km_*.md namespace in `.claude/rules/` is server-managed: this
function is the only writer, and it prunes any stale km_*.md files on
every run that materializes the directory. Do not create km_*.md
files manually — they will be removed on next pull.
"""
rules_dir = workspace / ".claude" / "rules"
resp = api_get("/api/memory/bundle")
resp.raise_for_status()
bundle = resp.json()
mandatory = bundle.get("mandatory", []) or []
approved = bundle.get("approved", []) or []
# Lazy mkdir — empty bundle leaves the workspace tree alone.
if not mandatory and not approved:
return 0
rules_dir.mkdir(parents=True, exist_ok=True)
written: set[str] = set()
# One file per mandatory item.
for item in mandatory:
item_id = item.get("id", "")
if not _SAFE_ID_RE.match(item_id):
# Silently skip unsafe ids — caller has no Typer.echo here.
continue
fname = f"km_{item_id}.md"
(rules_dir / fname).write_text(_item_to_md(item), encoding="utf-8")
written.add(fname)
# Approved items roll up into a single file.
if approved:
lines = ["# Approved Corporate Knowledge\n"]
for item in approved:
lines.append(f"## {item.get('title', 'Untitled')}\n")
lines.append(item.get("content", "") + "\n")
(rules_dir / "km_approved.md").write_text("\n".join(lines), encoding="utf-8")
written.add("km_approved.md")
else:
stale = rules_dir / "km_approved.md"
if stale.exists():
stale.unlink()
# Prune stale per-item files no longer mandatory.
for existing in rules_dir.glob("km_*.md"):
if existing.name not in written and existing.name != "km_approved.md":
existing.unlink()
return len(written)
Reference in a new issue View git blame Copy permalink