9de679c714
* System plugin tier with mark/unmark fanout (schema v39)
Adds a mandatory plugin tier so admins can pin a small set of curated
plugins into every user's stack from day one. Marking a plugin via the
new toggle on /admin/marketplaces materializes resource_grants for every
group and user_plugin_optouts subscriptions for every user, so the
existing resolver pulls the plugin into every served set without a new
filter layer. Hooks on user-create (Google OAuth, magic-link, admin
POST, scheduler) and group-create propagate the same materialization to
new principals. UI locks: /admin/access disables the checkbox with a
SYSTEM pill; /marketplace cards swap the "In stack" green pill for an
amber "Required" badge with shield icon; the plugin detail install
button reads "Required by your org"; /my-ai-stack toggle is disabled.
Bypass paths return 409 (DELETE /api/admin/grants for system grants,
PUT /api/my-stack/curated/.../{enabled:false}, DELETE
/api/marketplace/curated/.../install). Unmark only flips the flag —
materialized rows persist so admins curate cleanup at their leisure
through the now-unlocked /admin/access checkboxes.
* Marketplace UX polish + drop legacy /store and /my-ai-stack pages
Two-part cleanup post-v39:
(1) Page deletion. /store and /my-ai-stack were already replaced by
/marketplace?tab=flea and /marketplace?tab=my respectively, but the
standalone routes lingered. Hard delete in dev mode — no redirects,
stale bookmarks 404. The /store/new upload wizard, the flea
detail/edit pages, the admin queue, and all /api/store/* +
/api/my-stack endpoints (CLI consumers) stay. Internal hardcoded
hrefs in the upload wizard's Cancel button and the advanced-setup
page repointed to the marketplace tabs.
(2) Detail-page install button rework. The single button that morphed
between "+ Add to my stack" and "✓ In your stack" did not
communicate uninstall affordance. The installed state now renders an
inline white status label *before* a separate red-bordered
"✕ Remove from stack" button on the same row, both at identical
height to avoid layout shift. System plugins keep their locked amber
"✓ Required by your org" pill (no Remove button — API refuses 409).
The post-action hint panel now fires on remove too with the title
flipped to "✓ Removed from your stack" — Claude Code needs the same
/update-agnes-plugins refresh either way.
Also: /admin/marketplaces Details modal "Mark as system" toggle
redesigned. The button was near-invisible (matched neutral row
metadata). It's now a balanced amber-toned chip with shield icon
and a structured confirm modal replacing the native confirm() dialog
that summarizes fanout consequences before commit.
* Move stack-hint inside hero with glass-on-gradient styling
The post-action hint card ("✓ Added to your stack" with the
/update-agnes-plugins recipe) used to live below the hero in
panel-what (gray card on white page body). Clicking add/remove
inserted/removed it between the hero and content, shifting the
panels below — a noticeable scroll jump.
The hint is now anchored inside the hero's top-right corner alongside
the install/remove buttons, both as flex children of an absolutely
positioned .actions container. The card uses a translucent
white-on-glass treatment that adopts the hero's kind color (blue for
plugin, green for skill, purple for agent) without per-kind branching.
Hero is always tall enough (160px photo) to contain the action+hint
stack without overflow, so toggling the hint visibility doesn't grow
the hero or shift body content.
The hero-head grid reserves a third 300px column for the absolute
actions overlay so meta gets the proper 1fr free space instead of
being squeezed by a padding-right hack. Responsive breakpoint at
1100px reflows the actions stack below hero-head when the viewport
isn't wide enough to keep meta + actions side-by-side comfortably.
* Add optional -DataPath bind mount to run-local-dev.ps1
When the operator wants to inspect DuckDB files (system.duckdb, extracts,
marketplaces, store/, …) directly from Windows Explorer, the named volume
inside the Docker Desktop WSL VM isn't reachable. The new -DataPath param
generates a transient compose override that rebinds /data on app, scheduler,
extract (and Caddy's /srv:ro mirror) to a Windows host folder.
Fully additive — when -DataPath is omitted everything behaves exactly as
before: no override file is generated, $composeFiles array is unchanged,
finally cleanup is a no-op. Existing positional invocations
(.\run-local-dev.ps1 up | down | logs) keep binding to $Action because
$DataPath is a named-only parameter with no Position attribute.
The override is written via [System.IO.File]::WriteAllText so the YAML is
BOM-less across PS 5.1 / 7+ — Compose rejects BOM-prefixed YAML on Windows.
The override file is unique per PID and removed in the script's finally
block so concurrent invocations and crashes don't leak files.
* factor mark_system fanout into UserCuratedSubscriptionsRepository
The endpoint imported UserCuratedSubscriptionsRepository, ignored it
(noqa: F841), then duplicated the user-side fanout SQL inline. Adds
fanout_system_for_plugin() symmetric to the existing
fanout_system_for_user() and routes mark_plugin_system through it —
removes the dead import + 14 lines of inline SQL, returns the same
`affected_users` delta count, no behavior change.
* drop customer-specific path from .ps1 example
Per CLAUDE.md vendor-agnostic OSS rule: replaced
C:\\Business\\Groupon\\Agnes\\agnes-data with the generic
C:\\Users\\<you>\\agnes-data placeholder so the docstring
example reads cleanly on any reviewer's box.
* release: 0.48.0 + parallelize Release-workflow pytest
Cuts the release shipped via #228 #230 #231 #232 #233 #234 #236 #237 #238
#239 #240 plus this PR (#241). Major changes:
- System plugin tier (schema v39) — admins mark a plugin mandatory; fans
out RBAC grants + subscriptions to every existing user/group plus
hooks for new principals
- BREAKING: removed standalone /store + /my-ai-stack page routes
(replaced by /marketplace?tab=flea + /marketplace?tab=my)
- Setup-prompt + bootstrap recovery fixes (#240)
- DuckDB CHECKPOINT-on-shutdown + 60s compose grace (#235)
- Marketplace + flea-market UX polish, agnes-metadata.json enrichment
Bonus: switch release.yml test step to `-n auto` (matches ci.yml).
Single-threaded was 15-20 min and frequently the bottleneck on PR
mergeability — now ~6 min.
---------
Co-authored-by: Minas Arustamyan <arustamyan.minas@gmail.com>
Co-authored-by: ZdenekSrotyr <zdenek.srotyr@keboola.com>
185 lines
7.2 KiB
Python
185 lines
7.2 KiB
Python
"""Repository for the ``user_groups`` table.
|
|
|
|
A ``user_group`` is a named bucket admins create (e.g. ``data-team``,
|
|
``Engineering``) plus the two seeded ``is_system=TRUE`` groups ``Admin``
|
|
and ``Everyone``. Membership lives in
|
|
:mod:`src.repositories.user_group_members`; resource grants in
|
|
:mod:`src.repositories.resource_grants`.
|
|
|
|
System groups are write-protected — :exc:`SystemGroupProtected` is raised
|
|
on attempts to rename or delete them so the canonical ``Admin`` /
|
|
``Everyone`` names referenced from code (``app.auth.access``) cannot
|
|
disappear out from under the authorization layer.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from datetime import datetime, timezone
|
|
from typing import Any, Dict, List, Optional
|
|
from uuid import uuid4
|
|
|
|
import duckdb
|
|
|
|
|
|
class SystemGroupProtected(Exception):
|
|
"""Raised when a mutation is attempted on a system user group (is_system=TRUE)."""
|
|
|
|
|
|
class UserGroupsRepository:
|
|
def __init__(self, conn: duckdb.DuckDBPyConnection):
|
|
self.conn = conn
|
|
|
|
_SELECT_COLS = "id, name, description, is_system, created_at, created_by"
|
|
|
|
def list_all(self) -> List[Dict[str, Any]]:
|
|
rows = self.conn.execute(
|
|
f"SELECT {self._SELECT_COLS} FROM user_groups ORDER BY name"
|
|
).fetchall()
|
|
columns = [d[0] for d in self.conn.description]
|
|
return [dict(zip(columns, r)) for r in rows]
|
|
|
|
def get(self, group_id: str) -> Optional[Dict[str, Any]]:
|
|
row = self.conn.execute(
|
|
f"SELECT {self._SELECT_COLS} FROM user_groups WHERE id = ?",
|
|
[group_id],
|
|
).fetchone()
|
|
if not row:
|
|
return None
|
|
columns = [d[0] for d in self.conn.description]
|
|
return dict(zip(columns, row))
|
|
|
|
def get_by_name(self, name: str) -> Optional[Dict[str, Any]]:
|
|
row = self.conn.execute(
|
|
f"SELECT {self._SELECT_COLS} FROM user_groups WHERE name = ?",
|
|
[name],
|
|
).fetchone()
|
|
if not row:
|
|
return None
|
|
columns = [d[0] for d in self.conn.description]
|
|
return dict(zip(columns, row))
|
|
|
|
def create(
|
|
self,
|
|
name: str,
|
|
description: Optional[str] = None,
|
|
created_by: Optional[str] = None,
|
|
is_system: bool = False,
|
|
) -> Dict[str, Any]:
|
|
group_id = uuid4().hex
|
|
self.conn.execute(
|
|
"INSERT INTO user_groups (id, name, description, is_system, created_at, created_by) "
|
|
"VALUES (?, ?, ?, ?, ?, ?)",
|
|
[group_id, name, description, is_system, datetime.now(timezone.utc), created_by],
|
|
)
|
|
# v39: every newly-created group inherits the mandatory tier — i.e.
|
|
# gets a resource_grants row for every plugin currently flagged
|
|
# is_system=TRUE on marketplace_plugins. Centralised here (rather
|
|
# than at each call site: admin POST, Google sync ensure(),
|
|
# ensure_system seed) so all three paths stay symmetric. On fresh
|
|
# installs the SELECT returns 0 rows so the fanout is a free
|
|
# no-op; on running instances with existing system plugins the
|
|
# new group is fully provisioned before its first member logs in.
|
|
# Fail-soft: a fanout error must not block group creation, since
|
|
# the legacy admin reconcile path (toggling each plugin manually
|
|
# in /admin/access) still works and remains a recovery option.
|
|
try:
|
|
from src.repositories.resource_grants import (
|
|
ResourceGrantsRepository,
|
|
)
|
|
ResourceGrantsRepository(self.conn).fanout_system_for_group(
|
|
group_id, assigned_by=created_by,
|
|
)
|
|
except Exception:
|
|
# Logger import lives at module scope to keep this hot path
|
|
# cheap; absent (no logger configured) → swallow silently
|
|
# rather than raise a NameError. The audit_log row written
|
|
# by the API layer captures the group create event itself,
|
|
# so an admin can manually fan out via /admin/access.
|
|
try:
|
|
import logging as _logging
|
|
_logging.getLogger(__name__).exception(
|
|
"system-plugin grant fanout failed for new group %s",
|
|
group_id,
|
|
)
|
|
except Exception:
|
|
pass
|
|
return self.get(group_id) # type: ignore[return-value]
|
|
|
|
def ensure(
|
|
self, name: str, description: Optional[str] = None
|
|
) -> Dict[str, Any]:
|
|
"""Idempotent get-or-create for claim-driven groups.
|
|
|
|
Existing row is returned unchanged (preserves `is_system` and
|
|
description — a later Google-sync call must not override an admin's
|
|
manual description edit).
|
|
"""
|
|
existing = self.get_by_name(name)
|
|
if existing:
|
|
return existing
|
|
return self.create(
|
|
name=name,
|
|
description=description or "Auto-created from Google Workspace claim",
|
|
created_by="system:google-sync",
|
|
)
|
|
|
|
def ensure_system(self, name: str, description: str) -> Dict[str, Any]:
|
|
"""Idempotently ensure a system group exists.
|
|
|
|
If a group with the given name exists (manually created by an admin),
|
|
promote it to system (is_system=TRUE). Otherwise create a new one.
|
|
"""
|
|
existing = self.get_by_name(name)
|
|
if existing:
|
|
if not existing.get("is_system"):
|
|
self.conn.execute(
|
|
"UPDATE user_groups SET is_system = TRUE WHERE id = ?",
|
|
[existing["id"]],
|
|
)
|
|
existing = self.get(existing["id"]) # type: ignore[assignment]
|
|
return existing # type: ignore[return-value]
|
|
return self.create(name=name, description=description, is_system=True)
|
|
|
|
def update(
|
|
self,
|
|
group_id: str,
|
|
*,
|
|
name: Optional[str] = None,
|
|
description: Optional[str] = None,
|
|
) -> None:
|
|
# Block rename of system groups — the canonical names "Admin" /
|
|
# "Everyone" are referenced from `app.auth.access` and the
|
|
# marketplace filter and must not move. Description edits are
|
|
# cosmetic and allowed (admins curate them in /admin/access).
|
|
existing = self.get(group_id)
|
|
if (
|
|
existing
|
|
and existing.get("is_system")
|
|
and name is not None
|
|
and name != existing["name"]
|
|
):
|
|
raise SystemGroupProtected(
|
|
f"group {existing.get('name')!r} is a system group and cannot be renamed"
|
|
)
|
|
sets: List[str] = []
|
|
params: List[Any] = []
|
|
if name is not None:
|
|
sets.append("name = ?")
|
|
params.append(name)
|
|
if description is not None:
|
|
sets.append("description = ?")
|
|
params.append(description)
|
|
if not sets:
|
|
return
|
|
params.append(group_id)
|
|
self.conn.execute(
|
|
f"UPDATE user_groups SET {', '.join(sets)} WHERE id = ?", params
|
|
)
|
|
|
|
def delete(self, group_id: str) -> None:
|
|
existing = self.get(group_id)
|
|
if existing and existing.get("is_system"):
|
|
raise SystemGroupProtected(
|
|
f"group {existing.get('name')!r} is a system group and cannot be deleted"
|
|
)
|
|
self.conn.execute("DELETE FROM user_groups WHERE id = ?", [group_id])
|