mirror of
https://github.com/alkimake/paperclip.git
synced 2026-06-16 10:50:38 +09:00
[codex] Add agent permissions and controls plan (#6386)
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies by keeping task ownership, approvals, and operator control inside one control plane. > - Agent permissions and plugin-hosted company settings sit on the boundary between autonomy and governance. > - V1 needs scoped task assignment rules, plugin extension points, and clearer company access surfaces without weakening company boundaries. > - The branch builds the core authorization service, plugin SDK/host APIs, and UI simplifications needed to support those controls. > - Paperclip EE plugin surfaces were intentionally moved out of this core PR per review direction, so this PR now carries only the public core/plugin infrastructure work. > - The latest updates preserve the PAP-9937 branch changes that belong in this PR, remove the `design/` artifacts, and exclude the experimental `plugin-briefs` package. > - Greptile feedback was applied through the authorization/audit paths and the final cleanup commit was re-reviewed at 5/5 with no unresolved Greptile threads. > - The benefit is safer assignment control with extension hooks for richer permission products while preserving simple defaults for normal operators. ## What Changed - Added scoped task-assignment authorization decisions and routed issue/agent assignment mutations through the authorization service. - Added plugin SDK and host APIs for company settings slots, authorization policy/grant management, assignment previews, and bridge invocation scope propagation. - Simplified core company access UI and moved advanced controls behind plugin-provided settings surfaces. - Added retry-now affordances for blocked issue next-step notices. - Added protected-assignment enforcement for persisted agent/project/issue policies, including explicit-grant fallback behavior. - Added incremental principal-access compatibility backfill for active agent memberships and role-default human permission grants. - Added the Markdown code block wrap action fix from the latest branch changes. - Removed `design/` artifacts from the PR and removed `packages/plugins/plugin-briefs` from the final diff. - Addressed Greptile feedback for plugin actor sanitization, legacy membership handling, audit pagination, unknown grant-scope metadata, and startup test mocks. ## Verification - `pnpm exec vitest run server/src/__tests__/access-service.test.ts server/src/__tests__/company-portability.test.ts` -> 2 files passed, 54 tests passed. - `pnpm exec vitest run server/src/__tests__/server-startup-feedback-export.test.ts server/src/__tests__/access-service.test.ts server/src/__tests__/company-portability.test.ts` -> 3 files passed, 62 tests passed. - `pnpm exec vitest run server/src/__tests__/authorization-service.test.ts server/src/__tests__/plugin-access-authorization-host-services.test.ts server/src/__tests__/server-startup-feedback-export.test.ts` -> 3 files passed, 28 tests passed. - `pnpm --filter @paperclipai/server typecheck` -> passed. - `git diff --check` -> passed. - `node ./scripts/check-docker-deps-stage.mjs` -> passed. - `CI=true pnpm install --frozen-lockfile --ignore-scripts` -> passed with no lockfile update. - `pnpm exec vitest run ui/src/components/MarkdownBody.interaction.test.tsx` -> 1 test passed. - `git ls-files design packages/plugins/plugin-briefs | wc -l` -> 0. - GitHub CI on `40cd83b53` -> all checks passed, merge state `CLEAN`. - Greptile on `40cd83b53` -> 5/5, 102 files reviewed, 0 comments/annotations added, 0 unresolved review threads. - Confirmed the PR diff contains no `design/`, `packages/plugins/plugin-briefs`, `pnpm-lock.yaml`, or `.github/workflows` changes. ## Risks - Medium: task assignment authorization paths are behaviorally stricter for protected/private policy data, so existing plugin-authored policies may block assignment until explicit grants or approval flows are configured. - Medium: plugin-host authorization APIs expand the surface area available to trusted plugins and need careful review for company scoping. - Low: startup now performs a principal-access compatibility backfill, but the migration and runtime backfill use conflict-tolerant inserts. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI Codex, GPT-5 coding agent, tool-enabled workflow with shell, git, and GitHub CLI access. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Dotta
GitHub
parent
c91a062326
commit
38c185fb8b
102 changed files with 6744 additions and 395 deletions
|
|
@ -21,7 +21,7 @@ import {
|
|||
usePluginStream,
|
||||
usePluginToast,
|
||||
} from "./bridge.js";
|
||||
import { createElement, useEffect, useMemo, useState, type ComponentType, type ReactNode } from "react";
|
||||
import { Component, createElement, useEffect, useMemo, useState, type ComponentType, type ReactNode } from "react";
|
||||
import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
|
||||
import { User } from "lucide-react";
|
||||
import {
|
||||
|
|
@ -524,6 +524,127 @@ function FragmentSafe({ children }: { children?: ReactNode }) {
|
|||
return createElement("span", { className: "contents" }, children);
|
||||
}
|
||||
|
||||
type PluginStatusBadgeProps = {
|
||||
label: string;
|
||||
status: "ok" | "warning" | "error" | "info" | "pending";
|
||||
};
|
||||
|
||||
function PluginSdkStatusBadge({ label, status }: PluginStatusBadgeProps) {
|
||||
const className = {
|
||||
ok: "border-emerald-300 bg-emerald-50 text-emerald-700",
|
||||
warning: "border-amber-300 bg-amber-50 text-amber-800",
|
||||
error: "border-red-300 bg-red-50 text-red-700",
|
||||
info: "border-slate-300 bg-slate-50 text-slate-700",
|
||||
pending: "border-slate-300 bg-slate-50 text-slate-600",
|
||||
}[status];
|
||||
return createElement(
|
||||
"span",
|
||||
{ className: `inline-flex w-fit items-center rounded-full border px-2 py-0.5 text-xs font-medium ${className}` },
|
||||
label,
|
||||
);
|
||||
}
|
||||
|
||||
type PluginDataTableColumn = {
|
||||
key: string;
|
||||
header: string;
|
||||
render?: (value: unknown, row: Record<string, unknown>) => ReactNode;
|
||||
width?: string;
|
||||
};
|
||||
|
||||
type PluginDataTableProps = {
|
||||
columns: PluginDataTableColumn[];
|
||||
rows: Array<Record<string, unknown> & { id?: string }>;
|
||||
loading?: boolean;
|
||||
emptyMessage?: string;
|
||||
};
|
||||
|
||||
function PluginSdkDataTable({ columns, rows, loading, emptyMessage = "No rows." }: PluginDataTableProps) {
|
||||
if (loading) return createElement("div", { className: "text-sm text-muted-foreground" }, "Loading...");
|
||||
if (!rows.length) return createElement("div", { className: "text-sm text-muted-foreground" }, emptyMessage);
|
||||
const gridColumns = columns.map((column) => column.width ?? "minmax(0, 1fr)").join(" ");
|
||||
return createElement(
|
||||
"div",
|
||||
{ className: "overflow-hidden rounded-md border" },
|
||||
createElement(
|
||||
"div",
|
||||
{
|
||||
className: "hidden border-b bg-muted/35 px-3 py-2 text-xs font-medium uppercase tracking-wide text-muted-foreground md:grid md:[grid-template-columns:var(--plugin-grid-cols)]",
|
||||
style: { "--plugin-grid-cols": gridColumns },
|
||||
},
|
||||
columns.map((column) => createElement("div", { key: column.key }, column.header)),
|
||||
),
|
||||
createElement(
|
||||
"div",
|
||||
{ className: "divide-y" },
|
||||
rows.map((row, index) => createElement(
|
||||
"div",
|
||||
{
|
||||
key: String(row.id ?? index),
|
||||
className: "grid gap-2 px-3 py-3 md:items-center md:[grid-template-columns:var(--plugin-grid-cols)]",
|
||||
style: { "--plugin-grid-cols": gridColumns },
|
||||
},
|
||||
columns.map((column) => createElement(
|
||||
"div",
|
||||
{ key: column.key, className: "min-w-0 text-sm" },
|
||||
createElement("div", { className: "mb-1 text-[11px] font-medium uppercase tracking-wide text-muted-foreground md:hidden" }, column.header),
|
||||
column.render ? column.render(row[column.key], row) : String(row[column.key] ?? ""),
|
||||
)),
|
||||
)),
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
type PluginKeyValueListProps = {
|
||||
pairs: Array<{ label: string; value: ReactNode }>;
|
||||
};
|
||||
|
||||
function PluginSdkKeyValueList({ pairs }: PluginKeyValueListProps) {
|
||||
return createElement(
|
||||
"dl",
|
||||
{ className: "grid gap-x-4 gap-y-1 text-sm sm:grid-cols-[max-content_minmax(0,1fr)]" },
|
||||
pairs.flatMap((pair) => [
|
||||
createElement("dt", { key: `${pair.label}:label`, className: "text-muted-foreground" }, pair.label),
|
||||
createElement("dd", { key: `${pair.label}:value`, className: "min-w-0" }, pair.value),
|
||||
]),
|
||||
);
|
||||
}
|
||||
|
||||
function PluginSdkMetricCard({ label, value, unit }: { label: string; value: string | number; unit?: string }) {
|
||||
return createElement(
|
||||
"div",
|
||||
{ className: "rounded-md border bg-card p-3" },
|
||||
createElement("div", { className: "text-xs font-medium uppercase tracking-wide text-muted-foreground" }, label),
|
||||
createElement("div", { className: "mt-1 text-lg font-semibold" }, `${value}${unit ?? ""}`),
|
||||
);
|
||||
}
|
||||
|
||||
function PluginSdkJsonTree({ data }: { data: unknown }) {
|
||||
return createElement("pre", { className: "max-h-80 overflow-auto rounded-md border bg-muted/30 p-2 text-xs" }, JSON.stringify(data, null, 2));
|
||||
}
|
||||
|
||||
function PluginSdkSpinner({ label = "Loading" }: { size?: "sm" | "md" | "lg"; label?: string }) {
|
||||
return createElement("span", {
|
||||
className: "inline-block h-3.5 w-3.5 animate-spin rounded-full border-2 border-muted-foreground/30 border-t-foreground align-middle",
|
||||
role: "status",
|
||||
"aria-label": label,
|
||||
});
|
||||
}
|
||||
|
||||
class PluginSdkErrorBoundary extends Component<{ children: ReactNode; fallback?: ReactNode }, { hasError: boolean }> {
|
||||
override state = { hasError: false };
|
||||
|
||||
static getDerivedStateFromError() {
|
||||
return { hasError: true };
|
||||
}
|
||||
|
||||
override render() {
|
||||
if (this.state.hasError) {
|
||||
return this.props.fallback ?? createElement("div", { className: "rounded-md border border-destructive/30 p-3 text-sm text-destructive" }, "Plugin UI failed to render.");
|
||||
}
|
||||
return this.props.children;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Initialize the plugin bridge global registry.
|
||||
*
|
||||
|
|
@ -564,6 +685,13 @@ export function initPluginBridge(
|
|||
resolveWikiLinkHref,
|
||||
children: content,
|
||||
}),
|
||||
MetricCard: PluginSdkMetricCard,
|
||||
StatusBadge: PluginSdkStatusBadge,
|
||||
DataTable: PluginSdkDataTable,
|
||||
KeyValueList: PluginSdkKeyValueList,
|
||||
JsonTree: PluginSdkJsonTree,
|
||||
Spinner: PluginSdkSpinner,
|
||||
ErrorBoundary: PluginSdkErrorBoundary,
|
||||
MarkdownEditor: PluginSdkMarkdownEditor,
|
||||
FileTree: PluginSdkFileTree,
|
||||
IssuesList: PluginSdkIssuesList,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue