feat(#735): agent-first scoping — Phase 1 schema, DB layer, and permissions#738
Merged
feat(#735): agent-first scoping — Phase 1 schema, DB layer, and permissions#738
Conversation
…ssions Add agent_id column to pipelines, flows, and jobs tables with idempotent migrations. Create agent_access table for many-to-many user↔agent access grants with role hierarchy (admin/operator/viewer). - Agents.get_agent(): lookup by primary key (was missing) - AgentAccess: new repository for role-based access grants - create_pipeline/flow/job: accept optional agent_id - get_all_*/count/list_table queries: filter by agent_id - PermissionHelper: resolve_scoped_agent_id(), can_access_agent(), owns_agent_resource() for REST API scoping - Backfill migration: existing user_id rows get agent_id via owner lookup - Backward compatible: agent_id=NULL means single-agent mode
Homeboy Results —
|
Add agent_id to GetPipelinesAbility, GetFlowsAbility, GetJobsAbility input schemas so all list/query operations can filter by agent. Agent_id takes priority over user_id when both are present. - Ability input schemas: agent_id param added to get-pipelines, get-flows, get-jobs - FlowHelpers: getAllFlowsPaginated/countAllFlows accept agent_id - RunFlowAbility: propagates flow's agent_id to created job and engine snapshot - REST API (Pipelines, Flows, Jobs): resolve_scoped_agent_id() alongside resolve_scoped_user_id(), agent_id takes priority - Ownership checks: owns_resource() → owns_agent_resource() for all mutation endpoints (delete, update, duplicate, memory files) on both pipelines and flows
Add shared AgentSwitcher component and param interceptor architecture: - GET /datamachine/v1/agents REST endpoint (access-scoped per user) - AgentSwitcher shared component (SelectControl, Zustand-persisted) - Param interceptor pattern in api.js (client.addParamInterceptor) - agentInterceptor boot module auto-injects agent_id into all GETs - AgentSwitcher added to Pipelines, Jobs, Logs, Agent page headers - TanStack Query cache invalidation on agent switch - Agents query hook with 10-minute stale time Transport layer (api.js) stays dumb — interceptors plug in at boot.
… flag Add DirectoryManager::resolve_agent_slug() as the central resolution method for multi-agent setups. Accepts agent_slug, agent_id, or falls back to user_id lookup (single-agent compat). - resolve_agent_slug(context) + resolve_agent_directory(context) - wp datamachine agent paths --agent=<slug> bypasses user→agent lookup - CoreMemoryFilesDirective uses agent_id from payload - MemoryFilesReader accepts agent_id parameter - AgentFileAbilities (list/get/write/upload/delete) use resolve_agent_directory - AgentMemory + DailyMemory constructors accept agent_id - AgentMemoryAbilities + DailyMemoryAbilities pass agent_id through - Pipeline/Flow memory directives thread agent_id from payload All changes are backward compatible — agent_id defaults to 0, which falls through to existing user_id-based resolution.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 1 of agent-first scoping (#735). Makes
agent_idthe primary scoping key for pipelines, flows, and jobs — decoupling WordPress users from agents so multiple users can share agents and external runtimes (Kimaki, CLI) can execute as agents.agent_id bigint(20) unsigned DEFAULT NULLcolumn to pipelines, flows, and jobs tables via idempotent migrationsdatamachine_agent_accesstable with role hierarchy (admin > operator > viewer)create_pipeline/flow/jobacceptagent_id, all query methods (get_all_*,count,list_table) supportagent_idfilterPermissionHelper::resolve_scoped_agent_id(),can_access_agent(),owns_agent_resource()for REST API scopingagent_idon existing rows viauser_id → owner_idlookup, bootstrapsagent_accessgrants for ownersagent_id = NULLmeans single-agent mode, existing installs work without changesArchitecture
Files changed
AgentAccess.phpAgents.phpget_agent()by primary keyPipelines.phpFlows.phpJobs.phpJobsOperations.phpPermissionHelper.phpmigrations.phpdatamachine_backfill_agent_ids()data-machine.phpNext phases
resolve_scoped_agent_id(), Ability input schemas getagent_idCloses phase 1 of #735.