d6ad08f107
* feat(store): flea-market upload guardrails + soft delete + JOIN-based admin queue
Adds an end-to-end guardrails pipeline for store uploads (manifest +
static-security + LLM review), persists blocked bundles for forensics,
introduces soft-delete (Archive) semantics, consolidates the legacy
/store/{id} surface into /marketplace/flea/{id}, and reworks the admin
queue so lifecycle filters read live entity visibility via LEFT JOIN
rather than a denormalized submission column.
Schema v29 → v35:
* v29 store_submissions table + store_entities.visibility_status
* v30 file_size, bundle_sha256, bundle_purged_at on submissions
* v31 reshape store_submissions (drop legacy unique on entity_id)
* v32 store_entities.archived_at/by + 'archived' visibility value
* v33 drop store_submissions.retry_count (unused)
* v34 ensure idx_store_submissions_entity exists post column-drop
* v35 broaden visibility_status enum + JOIN architecture cutover
Pipeline (src/store_guardrails/):
* Inline checks: manifest_check, static_scan, quality_check
* LLM review configurable haiku|sonnet|opus (default haiku)
* BackgroundTasks-driven async path with structured-output JSON
* Per-submitter daily quota (default 50)
* 30-day TTL purge job (POST /api/admin/run-blocked-purge)
* Bundle SHA256 + size persisted; sha256 survives purge for forensics
Visibility model:
* pending | approved | hidden | archived
* _enforce_visibility returns 404 (no leak) for non-owner non-admin
* Owner sees own non-approved entries via include_owner_id widening
* Install refused with 409 entity_not_approved when not approved
Soft-delete (DELETE /api/store/entities/{id}):
* Default = soft (visibility_status='archived'); existing installs
keep getting served the bundle so users don't lose the plugin
* ?hard=true admin-only: drops bundle + cascades user_store_installs
* Hard-delete preserves entity_id on submission as tombstone so
audit_log linkage survives for the activity timeline
Admin queue lifecycle (the JOIN refactor):
* Verdict (store_submissions.status) is immutable forensic record
* Lifecycle (store_entities.visibility_status) is live state
* /admin/store/submissions Archived chip translates to
`e.visibility_status='archived'` via LEFT JOIN — any path that
flips visibility surfaces in the queue immediately
* Detail page renders Status (verdict) and Entity lifecycle side by
side so admins see "approved at review, now archived" at a glance
URL consolidation:
* /store/{id} deleted (no redirect, stale bookmarks 404)
* /marketplace/flea/{id} is the canonical detail surface
* Three in-tree callers (upload-success, my-stack card, store
listing card) updated to point at the new URL
* Quarantine banner extracted to _quarantine_banner.html partial,
self-guarded, included from both flea detail templates
* Banner JS auto-refreshes when the verdict lands by polling
/api/marketplace/flea/{id}/detail (visibility_status +
submission_status — the latter is needed because blocked_llm
keeps the entity at visibility_status='pending')
Audit log resource format:
* runner.py emits prefixed `store_submission:{id}` (post-fix)
* Detail-page timeline query handles three patterns: prefixed
submission, helper-emitted `store_entity:{sub_id}`, and bare-id
legacy rows — all surface in the activity timeline
UX fixes:
* Owner sees Under review / Quarantined / Hidden banner with status
* Install button gray-disabled (not blue) when non-approved
* Owner cannot delete quarantined entries (403); admin can
* Admin queue: filter chips, sortable columns, paging, page-size
* Auto-refresh queue every 5s while pending rows are visible
* Store upload page file picker no longer opens twice (label →
input default action collided with explicit JS handler)
Tests: 168 passed across the guardrails suites (admin submissions,
store API, inline / LLM / purge guardrails, store repositories,
marketplace filter, schema version). New regression coverage
includes: archive surfaces via JOIN even when API path is bypassed;
deleted submission renders activity timeline (tombstone); flea
detail surfaces submission_status only for owner/admin; detail page
renders Entity lifecycle row; audit log resource format covers both
helper and runner paths.
* fix(store-guardrails): PR #233 follow-up — prompt injection, atomic PUT, BG race, schema, reaper, sort whitelist
Addresses 9 of the 23 findings from the PR #233 review (spec at
docs/superpowers/specs/2026-05-09-pr233-guardrails-fixes-spec.md).
Merge-gate items #1-#6 plus high-value mediums #7, #9-#12, #23.
Architectural items (#8 enum split, #14 factory) and pure
maintainability (#15-#22) deferred to follow-ups.
Security:
* #1 prompt injection — SYSTEM_PROMPT now passed via the SDK's
dedicated system= parameter; bundle wrapped in <bundle>...</bundle>
sentinels declared data-only by the system prompt; literal
sentinel strings in user content are escaped so an adversarial
README can't forge a close tag.
* #6 static scan honesty — module docstring + admin copy + docs
declare static scan as signal not gate; .md/.txt/.rst/.html/.json/
.yaml/.yml/.toml skipped to avoid false positives on prose.
AST mode for Python deferred (separate flag, FP comparison work).
Correctness:
* #2 PUT atomicity — bundles bake into plugin.staging-<rand>/
alongside live, atomic-rename on success; failed checks leave
live tree byte-for-byte intact.
* #3 BG-task race — set_visibility_if_pending guards verdict flips
to the (pending, hidden) review window; admin archives during
review survive; skipped flips audit-logged.
* #4 v35 NOT NULL/DEFAULT — schema v35→v36 re-applies them on
store_entities.visibility_status. CHECK constraint enforced
application-side (DuckDB ADD CHECK on existing column unsupported).
* #7 stuck-review reaper — reap_stuck_llm_reviews flips pending_llm
rows older than guardrails.stuck_review_grace_seconds (default
1800) to review_error. Scheduler runs every 15 min via new
/api/admin/run-reap-stuck-reviews. Set knob to 0 to disable.
* #9 quota counter — count_blocked_for_submitter_since now counts
blocked_inline + blocked_llm + review_error so a submitter
triggering only LLM-blocked verdicts is bounded.
* #10 missing risk_level — surfaces as review_error with
error='missing_risk_level' instead of silently defaulting to
'medium' (which looked like a model-decided block).
* #11 archived_at clear — set_visibility nulls archived_at +
archived_by when transitioning out of 'archived' so a future
read doesn't show stale archive forensics on an approved row.
Maintainability:
* #12 FSM doc comment — accurate insert/transition/lifecycle
description in src/db.py near store_submissions schema.
* #23 sort-key whitelist — admin queue rejects unknown sort keys
with 400 invalid_sort_key; substring-replace footgun removed.
Deferred (separate PRs):
* #5 quota race — proper fix requires asyncio.Lock spanning the
full pipeline; threading.Lock blocks event loop, DuckDB MVCC
doesn't help. API-level slowapi bounds worst case for now.
* #6 part 3 (AST static scan), #8 (enum split), #13 (import
bundle docs), #14 (factory consolidation), #15-#22 (maint).
Tests:
* New: tests/test_store_guardrails_prompt_injection.py (corpus +
trust-boundary invariants), tests/test_store_put_atomic.py,
tests/test_store_guardrails_reaper.py.
* Extended: test_store_guardrails_llm.py (system param, missing
risk_level, BG race), test_admin_store_submissions.py (quota
counter widening, sort whitelist 400), test_store_repositories.py
(un-archive metadata clear), test_db_schema_version.py (v36).
* Full suite: 3738 passed; 17 pre-existing baseline failures
unchanged (db migration tests, cli binary rename, catalog export,
user mgmt v5 backfill — confirmed by stash + rerun on clean tree).
241 lines
9.5 KiB
HTML
241 lines
9.5 KiB
HTML
{# Shared quarantine banner partial.
|
|
|
|
Surfaces submission status (under review / quarantined / hidden /
|
|
override-applied) to the entity owner + admins. Self-guarded so it's
|
|
safe to {% include %} from any detail page — renders nothing when
|
|
the entity is approved or the viewer isn't owner/admin.
|
|
|
|
Required scope:
|
|
entity — store_entities row (must carry visibility_status,
|
|
visibility_status; entity.id surfaces in admin
|
|
detail link)
|
|
quarantine_sub — latest store_submissions row for entity, or None
|
|
is_owner — bool, viewer == entity.owner_user_id
|
|
is_admin — bool, viewer is in Admin group
|
|
|
|
Mirror of the version that previously lived in store_detail.html.
|
|
Wording stays consistent with the per-status messaging the user
|
|
approved earlier — only the rendering location changed.
|
|
#}
|
|
|
|
{% if entity.visibility_status != 'approved' and (is_owner or is_admin) %}
|
|
<style>
|
|
.vis-banner {
|
|
margin: 12px 0 16px 0;
|
|
padding: 14px 18px;
|
|
border-radius: 10px;
|
|
font-size: 14px;
|
|
border: 1px solid;
|
|
}
|
|
.vis-banner.pending { background: #fef3c7; color: #92400e; border-color: #fde68a; }
|
|
.vis-banner.blocked { background: #fee2e2; color: #991b1b; border-color: #fecaca; }
|
|
.vis-banner.hidden { background: #e5e7eb; color: #374151; border-color: #d1d5db; }
|
|
.vis-banner h3 { margin: 0 0 6px 0; font-size: 15px; font-weight: 600; }
|
|
.vis-banner ul { margin: 6px 0 0 0; padding-left: 20px; font-size: 13px; }
|
|
.vis-banner code { background: rgba(0,0,0,0.06); padding: 1px 6px; border-radius: 4px; font-size: 12px; }
|
|
.vis-banner .actions { margin-top: 10px; }
|
|
.vis-banner .actions a {
|
|
display: inline-block; padding: 5px 12px; border-radius: 6px;
|
|
background: rgba(0,0,0,0.08); color: inherit; text-decoration: none;
|
|
font-size: 12px; font-weight: 500;
|
|
}
|
|
</style>
|
|
|
|
{% set sub = quarantine_sub %}
|
|
{% set st = sub.status if sub else entity.visibility_status %}
|
|
{% set bcls = 'pending' if st in ['pending_inline','pending_llm','pending']
|
|
else ('blocked' if st in ['blocked_inline','blocked_llm','review_error']
|
|
else 'hidden') %}
|
|
|
|
<div class="vis-banner {{ bcls }}">
|
|
{% if st == 'pending_llm' or st == 'pending_inline' or st == 'pending' %}
|
|
<h3>⟳ Under review</h3>
|
|
<div>
|
|
Your submission is being checked. It is hidden from the public
|
|
Store and from anyone else's view until all checks pass. Page
|
|
refreshes automatically when the verdict lands — usually a few
|
|
seconds.
|
|
</div>
|
|
|
|
{% elif st == 'blocked_inline' %}
|
|
<h3>⚠ Quarantined — automated checks failed</h3>
|
|
<div>
|
|
Your submission failed at least one automated check and has been
|
|
quarantined. It is hidden from the public Store and from every
|
|
other user; nobody can install it. Fix the issues below and
|
|
re-upload to retry, or wait for an admin to resolve the
|
|
quarantine.
|
|
</div>
|
|
{% if sub and sub.inline_checks %}
|
|
{% set ic = sub.inline_checks %}
|
|
{% if ic.manifest and ic.manifest.issues %}
|
|
<ul>
|
|
{% for issue in ic.manifest.issues %}<li>manifest: <code>{{ issue }}</code></li>{% endfor %}
|
|
</ul>
|
|
{% endif %}
|
|
{% if ic.static_security and ic.static_security.findings %}
|
|
<ul>
|
|
{% for f in ic.static_security.findings[:6] %}
|
|
<li>security: <code>{{ f.file }}:{{ f.line }}</code> — {{ f.reason }}</li>
|
|
{% endfor %}
|
|
{% if ic.static_security.findings|length > 6 %}
|
|
<li><em>… and {{ ic.static_security.findings|length - 6 }} more</em></li>
|
|
{% endif %}
|
|
</ul>
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% elif st == 'blocked_llm' %}
|
|
<h3>⚠ Quarantined — security review flagged risk</h3>
|
|
<div>
|
|
The security reviewer flagged this submission. It is hidden from
|
|
the public Store and from every other user; nobody can install
|
|
it. Address the findings below and re-upload, or wait for an
|
|
admin to resolve the quarantine.
|
|
</div>
|
|
{% if sub and sub.llm_findings %}
|
|
{% if sub.llm_findings.summary %}
|
|
<div style="margin-top: 6px;"><em>{{ sub.llm_findings.summary }}</em></div>
|
|
{% endif %}
|
|
{% if sub.llm_findings.findings %}
|
|
<ul>
|
|
{% for f in sub.llm_findings.findings[:6] %}
|
|
<li>[{{ f.severity }}] <code>{{ f.file }}</code> — {{ f.explanation }}</li>
|
|
{% endfor %}
|
|
</ul>
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% elif st == 'review_error' %}
|
|
<h3>⚠ Under review — security check errored</h3>
|
|
<div>
|
|
The security reviewer couldn't complete its check. The submission
|
|
stays hidden until an admin retries. No action needed from you.
|
|
</div>
|
|
{% if sub and sub.llm_findings and sub.llm_findings.error %}
|
|
<div style="margin-top: 6px; font-family: ui-monospace, SFMono-Regular, Menlo, monospace; font-size: 12px; word-break: break-word;">
|
|
Error: {{ sub.llm_findings.error }}
|
|
</div>
|
|
{% endif %}
|
|
{# Surface any inline-check findings that were captured before the
|
|
LLM step errored — gives the submitter something concrete to
|
|
look at instead of a bare "errored" message. #}
|
|
{% if sub and sub.inline_checks %}
|
|
{% set ic = sub.inline_checks %}
|
|
{% if ic.static_security and ic.static_security.findings %}
|
|
<ul>
|
|
{% for f in ic.static_security.findings[:6] %}
|
|
<li>security: <code>{{ f.file }}:{{ f.line }}</code> — {{ f.reason }}</li>
|
|
{% endfor %}
|
|
</ul>
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% elif st == 'overridden' %}
|
|
<h3>✓ Admin override applied</h3>
|
|
<div>This submission was force-published by an admin.</div>
|
|
{% if sub and sub.override_reason %}
|
|
<div style="margin-top: 6px; font-size: 13px;">
|
|
<em>Override reason:</em> {{ sub.override_reason }}
|
|
</div>
|
|
{% endif %}
|
|
|
|
{% else %}
|
|
{# Fallback for hidden / unexpected lifecycle states. Surface
|
|
whatever verdict context the submission row carries so an
|
|
admin doesn't see a bare "Hidden" with no actionable detail. #}
|
|
<h3>Hidden</h3>
|
|
<div>
|
|
This entity is not visible in the public Store
|
|
(<code>visibility_status = "{{ entity.visibility_status }}"</code>).
|
|
</div>
|
|
{% if sub and sub.inline_checks %}
|
|
{% set ic = sub.inline_checks %}
|
|
{% if ic.manifest and ic.manifest.issues %}
|
|
<ul>
|
|
{% for issue in ic.manifest.issues %}<li>manifest: <code>{{ issue }}</code></li>{% endfor %}
|
|
</ul>
|
|
{% endif %}
|
|
{% if ic.static_security and ic.static_security.findings %}
|
|
<ul>
|
|
{% for f in ic.static_security.findings[:6] %}
|
|
<li>security: <code>{{ f.file }}:{{ f.line }}</code> — {{ f.reason }}</li>
|
|
{% endfor %}
|
|
</ul>
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if sub and sub.llm_findings %}
|
|
{% if sub.llm_findings.summary %}
|
|
<div style="margin-top: 6px;"><em>{{ sub.llm_findings.summary }}</em></div>
|
|
{% endif %}
|
|
{% if sub.llm_findings.findings %}
|
|
<ul>
|
|
{% for f in sub.llm_findings.findings[:6] %}
|
|
<li>[{{ f.severity }}] <code>{{ f.file }}</code> — {{ f.explanation }}</li>
|
|
{% endfor %}
|
|
</ul>
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
{% if is_admin and sub %}
|
|
<div class="actions">
|
|
<a href="/admin/store/submissions/{{ sub.id }}">Open submission detail →</a>
|
|
</div>
|
|
{% endif %}
|
|
</div>
|
|
|
|
{# Auto-refresh while the verdict is pending. Banner copy promises
|
|
"page refreshes automatically when the verdict lands" — this is
|
|
what does it. Polls the owner-accessible flea detail endpoint and
|
|
reloads when EITHER visibility flips off 'pending' OR the
|
|
submission verdict flips off 'pending_inline' / 'pending_llm'.
|
|
Both signals are needed because `blocked_llm` keeps the entity at
|
|
`visibility_status='pending'` (admin can override → publish), so
|
|
visibility alone doesn't fire. Only emits the script while the
|
|
verdict itself is still pending; terminal states render the
|
|
final banner copy and don't need to reload. #}
|
|
{% if quarantine_sub and quarantine_sub.status in ['pending_inline', 'pending_llm'] %}
|
|
<script>
|
|
(function () {
|
|
const entityId = {{ entity.id|tojson }};
|
|
const initialSubStatus = {{ quarantine_sub.status|tojson }};
|
|
const initialVisibility = {{ entity.visibility_status|tojson }};
|
|
let attempts = 0;
|
|
async function tick() {
|
|
attempts++;
|
|
try {
|
|
const r = await fetch(`/api/marketplace/flea/${entityId}/detail`, {
|
|
credentials: 'same-origin',
|
|
headers: {'Accept': 'application/json'},
|
|
});
|
|
if (r.ok) {
|
|
const data = await r.json();
|
|
const subFlipped = data.submission_status
|
|
&& data.submission_status !== initialSubStatus
|
|
&& data.submission_status !== 'pending_inline'
|
|
&& data.submission_status !== 'pending_llm';
|
|
const visFlipped = data.visibility_status
|
|
&& data.visibility_status !== initialVisibility;
|
|
if (subFlipped || visFlipped) {
|
|
window.location.reload();
|
|
return;
|
|
}
|
|
} else if (r.status === 404) {
|
|
// Entity might have been archived/deleted — reload so the
|
|
// page refetches and renders the new state (or a 404).
|
|
window.location.reload();
|
|
return;
|
|
}
|
|
} catch (e) { /* network blip; keep polling */ }
|
|
// First 30 attempts at 3s = 90s of fast polling, then back off
|
|
// to 10s. Same cadence as admin detail polling so an LLM review
|
|
// on Sonnet/Opus has room to land.
|
|
const next = attempts < 30 ? 3000 : 10000;
|
|
setTimeout(tick, next);
|
|
}
|
|
setTimeout(tick, 3000);
|
|
})();
|
|
</script>
|
|
{% endif %}
|
|
{% endif %}
|