9de679c714
* System plugin tier with mark/unmark fanout (schema v39)
Adds a mandatory plugin tier so admins can pin a small set of curated
plugins into every user's stack from day one. Marking a plugin via the
new toggle on /admin/marketplaces materializes resource_grants for every
group and user_plugin_optouts subscriptions for every user, so the
existing resolver pulls the plugin into every served set without a new
filter layer. Hooks on user-create (Google OAuth, magic-link, admin
POST, scheduler) and group-create propagate the same materialization to
new principals. UI locks: /admin/access disables the checkbox with a
SYSTEM pill; /marketplace cards swap the "In stack" green pill for an
amber "Required" badge with shield icon; the plugin detail install
button reads "Required by your org"; /my-ai-stack toggle is disabled.
Bypass paths return 409 (DELETE /api/admin/grants for system grants,
PUT /api/my-stack/curated/.../{enabled:false}, DELETE
/api/marketplace/curated/.../install). Unmark only flips the flag —
materialized rows persist so admins curate cleanup at their leisure
through the now-unlocked /admin/access checkboxes.
* Marketplace UX polish + drop legacy /store and /my-ai-stack pages
Two-part cleanup post-v39:
(1) Page deletion. /store and /my-ai-stack were already replaced by
/marketplace?tab=flea and /marketplace?tab=my respectively, but the
standalone routes lingered. Hard delete in dev mode — no redirects,
stale bookmarks 404. The /store/new upload wizard, the flea
detail/edit pages, the admin queue, and all /api/store/* +
/api/my-stack endpoints (CLI consumers) stay. Internal hardcoded
hrefs in the upload wizard's Cancel button and the advanced-setup
page repointed to the marketplace tabs.
(2) Detail-page install button rework. The single button that morphed
between "+ Add to my stack" and "✓ In your stack" did not
communicate uninstall affordance. The installed state now renders an
inline white status label *before* a separate red-bordered
"✕ Remove from stack" button on the same row, both at identical
height to avoid layout shift. System plugins keep their locked amber
"✓ Required by your org" pill (no Remove button — API refuses 409).
The post-action hint panel now fires on remove too with the title
flipped to "✓ Removed from your stack" — Claude Code needs the same
/update-agnes-plugins refresh either way.
Also: /admin/marketplaces Details modal "Mark as system" toggle
redesigned. The button was near-invisible (matched neutral row
metadata). It's now a balanced amber-toned chip with shield icon
and a structured confirm modal replacing the native confirm() dialog
that summarizes fanout consequences before commit.
* Move stack-hint inside hero with glass-on-gradient styling
The post-action hint card ("✓ Added to your stack" with the
/update-agnes-plugins recipe) used to live below the hero in
panel-what (gray card on white page body). Clicking add/remove
inserted/removed it between the hero and content, shifting the
panels below — a noticeable scroll jump.
The hint is now anchored inside the hero's top-right corner alongside
the install/remove buttons, both as flex children of an absolutely
positioned .actions container. The card uses a translucent
white-on-glass treatment that adopts the hero's kind color (blue for
plugin, green for skill, purple for agent) without per-kind branching.
Hero is always tall enough (160px photo) to contain the action+hint
stack without overflow, so toggling the hint visibility doesn't grow
the hero or shift body content.
The hero-head grid reserves a third 300px column for the absolute
actions overlay so meta gets the proper 1fr free space instead of
being squeezed by a padding-right hack. Responsive breakpoint at
1100px reflows the actions stack below hero-head when the viewport
isn't wide enough to keep meta + actions side-by-side comfortably.
* Add optional -DataPath bind mount to run-local-dev.ps1
When the operator wants to inspect DuckDB files (system.duckdb, extracts,
marketplaces, store/, …) directly from Windows Explorer, the named volume
inside the Docker Desktop WSL VM isn't reachable. The new -DataPath param
generates a transient compose override that rebinds /data on app, scheduler,
extract (and Caddy's /srv:ro mirror) to a Windows host folder.
Fully additive — when -DataPath is omitted everything behaves exactly as
before: no override file is generated, $composeFiles array is unchanged,
finally cleanup is a no-op. Existing positional invocations
(.\run-local-dev.ps1 up | down | logs) keep binding to $Action because
$DataPath is a named-only parameter with no Position attribute.
The override is written via [System.IO.File]::WriteAllText so the YAML is
BOM-less across PS 5.1 / 7+ — Compose rejects BOM-prefixed YAML on Windows.
The override file is unique per PID and removed in the script's finally
block so concurrent invocations and crashes don't leak files.
* factor mark_system fanout into UserCuratedSubscriptionsRepository
The endpoint imported UserCuratedSubscriptionsRepository, ignored it
(noqa: F841), then duplicated the user-side fanout SQL inline. Adds
fanout_system_for_plugin() symmetric to the existing
fanout_system_for_user() and routes mark_plugin_system through it —
removes the dead import + 14 lines of inline SQL, returns the same
`affected_users` delta count, no behavior change.
* drop customer-specific path from .ps1 example
Per CLAUDE.md vendor-agnostic OSS rule: replaced
C:\\Business\\Groupon\\Agnes\\agnes-data with the generic
C:\\Users\\<you>\\agnes-data placeholder so the docstring
example reads cleanly on any reviewer's box.
* release: 0.48.0 + parallelize Release-workflow pytest
Cuts the release shipped via #228 #230 #231 #232 #233 #234 #236 #237 #238
#239 #240 plus this PR (#241). Major changes:
- System plugin tier (schema v39) — admins mark a plugin mandatory; fans
out RBAC grants + subscriptions to every existing user/group plus
hooks for new principals
- BREAKING: removed standalone /store + /my-ai-stack page routes
(replaced by /marketplace?tab=flea + /marketplace?tab=my)
- Setup-prompt + bootstrap recovery fixes (#240)
- DuckDB CHECKPOINT-on-shutdown + 60s compose grace (#235)
- Marketplace + flea-market UX polish, agnes-metadata.json enrichment
Bonus: switch release.yml test step to `-n auto` (matches ci.yml).
Single-threaded was 15-20 min and frequently the bottleneck on PR
mergeability — now ~6 min.
---------
Co-authored-by: Minas Arustamyan <arustamyan.minas@gmail.com>
Co-authored-by: ZdenekSrotyr <zdenek.srotyr@keboola.com>
193 lines
7.5 KiB
Python
193 lines
7.5 KiB
Python
"""Repository for per-user curated marketplace subscriptions (Model B opt-in).
|
||
|
||
Backed by the historically-named ``user_plugin_optouts`` table. Pre-v28 a row
|
||
represented an opt-OUT against an admin-granted plugin; v28 inverts the
|
||
semantic — row PRESENCE now means the user is subscribed. The DDL rename was
|
||
intentionally skipped to avoid migration churn on running operator instances;
|
||
the v28 migration wipes the rows so the inverted reading starts clean.
|
||
|
||
Used by ``src/marketplace_filter.py:resolve_user_marketplace`` to compute the
|
||
served plugin set as ``(rbac_grants ∩ subscriptions) ∪ store_installs``.
|
||
"""
|
||
|
||
from __future__ import annotations
|
||
|
||
from typing import Any, Dict, List, Set, Tuple
|
||
|
||
import duckdb
|
||
|
||
|
||
class UserCuratedSubscriptionsRepository:
|
||
def __init__(self, conn: duckdb.DuckDBPyConnection):
|
||
self.conn = conn
|
||
|
||
def subscribe(
|
||
self, user_id: str, marketplace_id: str, plugin_name: str
|
||
) -> bool:
|
||
"""Idempotent. Returns True iff a new row was inserted."""
|
||
before = self.conn.execute(
|
||
"SELECT 1 FROM user_plugin_optouts "
|
||
"WHERE user_id = ? AND marketplace_id = ? AND plugin_name = ?",
|
||
[user_id, marketplace_id, plugin_name],
|
||
).fetchone()
|
||
if before:
|
||
return False
|
||
self.conn.execute(
|
||
"INSERT INTO user_plugin_optouts "
|
||
"(user_id, marketplace_id, plugin_name) VALUES (?, ?, ?) "
|
||
"ON CONFLICT (user_id, marketplace_id, plugin_name) DO NOTHING",
|
||
[user_id, marketplace_id, plugin_name],
|
||
)
|
||
return True
|
||
|
||
def unsubscribe(
|
||
self, user_id: str, marketplace_id: str, plugin_name: str
|
||
) -> bool:
|
||
"""Returns True iff a row was deleted."""
|
||
before = self.conn.execute(
|
||
"SELECT 1 FROM user_plugin_optouts "
|
||
"WHERE user_id = ? AND marketplace_id = ? AND plugin_name = ?",
|
||
[user_id, marketplace_id, plugin_name],
|
||
).fetchone()
|
||
if not before:
|
||
return False
|
||
self.conn.execute(
|
||
"DELETE FROM user_plugin_optouts "
|
||
"WHERE user_id = ? AND marketplace_id = ? AND plugin_name = ?",
|
||
[user_id, marketplace_id, plugin_name],
|
||
)
|
||
return True
|
||
|
||
def is_subscribed(
|
||
self, user_id: str, marketplace_id: str, plugin_name: str
|
||
) -> bool:
|
||
return bool(
|
||
self.conn.execute(
|
||
"SELECT 1 FROM user_plugin_optouts "
|
||
"WHERE user_id = ? AND marketplace_id = ? AND plugin_name = ?",
|
||
[user_id, marketplace_id, plugin_name],
|
||
).fetchone()
|
||
)
|
||
|
||
def subscribed_set(self, user_id: str) -> Set[Tuple[str, str]]:
|
||
"""Return the user's subscriptions as a ``{(marketplace_id, plugin_name)}``
|
||
set — the shape ``resolve_user_marketplace`` filters against.
|
||
"""
|
||
rows = self.conn.execute(
|
||
"SELECT marketplace_id, plugin_name FROM user_plugin_optouts "
|
||
"WHERE user_id = ?",
|
||
[user_id],
|
||
).fetchall()
|
||
return {(r[0], r[1]) for r in rows}
|
||
|
||
def list_for_user(self, user_id: str) -> List[Dict[str, Any]]:
|
||
"""Return the user's subscriptions ordered newest-first."""
|
||
rows = self.conn.execute(
|
||
"SELECT marketplace_id, plugin_name, opted_out_at "
|
||
"FROM user_plugin_optouts WHERE user_id = ? "
|
||
"ORDER BY opted_out_at DESC",
|
||
[user_id],
|
||
).fetchall()
|
||
return [
|
||
{
|
||
"marketplace_id": r[0],
|
||
"plugin_name": r[1],
|
||
"subscribed_at": r[2],
|
||
}
|
||
for r in rows
|
||
]
|
||
|
||
def delete_for_plugin(
|
||
self, marketplace_id: str, plugin_name: str
|
||
) -> int:
|
||
"""Drop all users' subscriptions for a given plugin.
|
||
|
||
Called when a plugin's RBAC grant is revoked or the parent marketplace
|
||
is deleted. Returns count of rows deleted (audit telemetry).
|
||
"""
|
||
before = self.conn.execute(
|
||
"SELECT COUNT(*) FROM user_plugin_optouts "
|
||
"WHERE marketplace_id = ? AND plugin_name = ?",
|
||
[marketplace_id, plugin_name],
|
||
).fetchone()[0]
|
||
self.conn.execute(
|
||
"DELETE FROM user_plugin_optouts "
|
||
"WHERE marketplace_id = ? AND plugin_name = ?",
|
||
[marketplace_id, plugin_name],
|
||
)
|
||
return int(before)
|
||
|
||
def delete_for_marketplace(self, marketplace_id: str) -> int:
|
||
"""Drop all subscriptions for every plugin in a marketplace.
|
||
|
||
Called from ``DELETE /api/marketplaces/{id}`` cleanup path.
|
||
Returns count of rows deleted.
|
||
"""
|
||
before = self.conn.execute(
|
||
"SELECT COUNT(*) FROM user_plugin_optouts WHERE marketplace_id = ?",
|
||
[marketplace_id],
|
||
).fetchone()[0]
|
||
self.conn.execute(
|
||
"DELETE FROM user_plugin_optouts WHERE marketplace_id = ?",
|
||
[marketplace_id],
|
||
)
|
||
return int(before)
|
||
|
||
def fanout_system_for_plugin(
|
||
self, marketplace_id: str, plugin_name: str,
|
||
) -> int:
|
||
"""Subscribe every existing user to ``(marketplace_id, plugin_name)``.
|
||
|
||
Counterpart to ``fanout_system_for_user`` — this side picks one
|
||
plugin and walks every user, that side picks one user and walks
|
||
every system plugin. Both go through the same
|
||
``user_plugin_optouts`` PK + ``ON CONFLICT DO NOTHING`` so they
|
||
compose freely with the user/group-create hooks.
|
||
|
||
Returns the count of NEW subscriptions written (delta of
|
||
before/after row counts) so the admin endpoint can report
|
||
``affected_users`` honestly — re-running on an already-marked
|
||
plugin returns 0 instead of misleadingly reporting "every user".
|
||
"""
|
||
before = self.conn.execute(
|
||
"SELECT COUNT(*) FROM user_plugin_optouts "
|
||
"WHERE marketplace_id = ? AND plugin_name = ?",
|
||
[marketplace_id, plugin_name],
|
||
).fetchone()[0]
|
||
self.conn.execute(
|
||
"""INSERT INTO user_plugin_optouts
|
||
(user_id, marketplace_id, plugin_name)
|
||
SELECT id, ?, ? FROM users
|
||
ON CONFLICT (user_id, marketplace_id, plugin_name) DO NOTHING""",
|
||
[marketplace_id, plugin_name],
|
||
)
|
||
after = self.conn.execute(
|
||
"SELECT COUNT(*) FROM user_plugin_optouts "
|
||
"WHERE marketplace_id = ? AND plugin_name = ?",
|
||
[marketplace_id, plugin_name],
|
||
).fetchone()[0]
|
||
return max(0, int(after) - int(before))
|
||
|
||
def fanout_system_for_user(self, user_id: str) -> None:
|
||
"""Subscribe ``user_id`` to every ``is_system=TRUE`` marketplace_plugin.
|
||
|
||
Idempotent — the table's PRIMARY KEY ``(user_id, marketplace_id,
|
||
plugin_name)`` plus ``ON CONFLICT … DO NOTHING`` keeps existing
|
||
subscriptions untouched.
|
||
|
||
Called from two places:
|
||
* the admin ``mark_system`` endpoint (one plugin × every existing
|
||
user, with the SELECT-side filter still walking all system
|
||
plugins — symmetric with ``fanout_system_for_group``)
|
||
* the user-create hooks (Google OAuth, magic-link, admin-create,
|
||
scheduler token) so a new user lands in the mandatory tier
|
||
without an admin reconcile.
|
||
"""
|
||
self.conn.execute(
|
||
"""INSERT INTO user_plugin_optouts
|
||
(user_id, marketplace_id, plugin_name)
|
||
SELECT ?, marketplace_id, name
|
||
FROM marketplace_plugins WHERE is_system = TRUE
|
||
ON CONFLICT (user_id, marketplace_id, plugin_name) DO NOTHING""",
|
||
[user_id],
|
||
)
|