Files
multica/server/pkg/db/generated/agent_invocation_target.sql.go
LinYushen 9c876d7a08 feat(agents): agent invocation permission system (MUL-3963) (#4844)
* feat(agents): agent invocation permission system (permission_mode + invocation targets)

MUL-3963: split who may INVOKE an agent out of the overloaded visibility
column into an explicit, extensible model on feature/composio-integration.

- DB: agent.permission_mode (private|public_to) + agent_invocation_target
  table (workspace/member/team targets) + lossless backfill from visibility
  (migration 130).
- canInvokeAgent: owner-only for private (NO admin bypass, NO A2A bypass);
  public_to honours the allow-list; A2A judged by the top-of-chain originator.
- All trigger paths rewired: issue assign, comment @agent/@squad, chat,
  quick-create, autopilot, squad leader, child-done.
- Agent API: permission_mode + invocation_targets on responses and
  create/update (owner-only writes); legacy visibility kept as a derived field
  so old clients never see a permission widening.
- Composio: BuildTaskOverlay now FOLLOWS invocation permission and uses the
  agent OWNER connection (removed the originator==owner gate); front-end warns
  when a shared agent enables Composio apps.
- CLI: --permission-mode / --public-to-workspace / --public-to-member (legacy
  --visibility still mapped).
- Frontend: AccessPicker (Private / workspace / specific people / team soon),
  permission rules mirror canInvokeAgent, Composio warning banner.
- Tests: migration backfill, admin cannot invoke others private, public_to
  workspace/member whitelist, A2A by originator, Composio overlay uses owner
  connection.

Co-authored-by: multica-agent <github@multica.ai>

* feat(agents): stackable, mixed public_to invocation targets (MUL-3963)

Follow-up on PR #4844: public_to now supports selecting MULTIPLE, MIXED
targets on one agent (e.g. Public to workspace + specific people + team),
with canInvokeAgent admitting on ANY matching target (OR).

- Frontend AccessPicker: reworked from a single exclusive kind into a
  stackable multi-select — an "Everyone in workspace" toggle, a member
  multi-select checklist, and a (disabled, v1) team placeholder can be
  combined freely. Emits the full union of selected targets; empty union
  collapses to Private. Existing team targets are preserved across saves.
  Added the access.public_group locale string (en/zh-Hans/ja/ko).
- Backend already supported this (agent_invocation_target is multi-row per
  agent; create/update take a target ARRAY and batch-replace the whole
  allow-list; canInvokeAgent OR-matches). Added tests to lock it in:
  mixed member+team targets, overlapping-member batch replace, and
  workspace+member stacking then narrowing.

Refs MUL-3963.

Co-authored-by: multica-agent <github@multica.ai>

* fix(agents): address review on invocation permission (MUL-3963)

张大彪 review on PR #4844 — three blockers + product ruling + nits:

1. Migration 130: drop the FK/cascade on agent_invocation_target
   (agent_id, created_by) per the Multica no-FK rule; relationships are now
   maintained in the app layer (matching MUL-3515 §4). Added
   DeleteAgentInvocationTargetsByArchivedRuntimeAgents and call it before
   DeleteArchivedAgentsByRuntime in all three runtime-delete paths
   (runtime.go x2, runtime_profile.go) so hard-deleting agents can't orphan
   target rows.
2. revokeAndRemoveMember: prune the leaving member's member-target grants
   (DeleteAgentInvocationTargetsByMember) in the same tx as the member-row
   delete, so a re-invited user can't reclaim a stale invocation grant.
3. Empty public_to is a phantom — parsePermissionInput now normalises a
   public_to with no resolvable targets to a single workspace target, so
   `--permission-mode public_to` alone (and any empty target array) means
   "public to workspace" instead of "shared but nobody can run it".

Product ruling: the system/no-human-originator → workspace-target path in
canInvokeAgent is a deliberate, documented exception (webhook/system/
workspace-wide automation); member/team targets still fail closed without a
resolved originator. Documented in code + locked with a test.

Nits: refreshed the stale "originator must be owner" comments — models.go
(via migration 130 COMMENT ON COLUMN + sqlc regen for composio_toolkit_allowlist
and originator_user_id) and agent-mcp-tab.tsx — to the owner-connection +
invocation-permission rules.

Tests: member remove/re-add regression, system workspace exception + member
fail-closed, empty public_to → workspace (plus the earlier mixed/overlap/
batch-replace suite). Migration 130 applied to the test DB; Go handler/service/
composio suites green; views typecheck clean.

Refs MUL-3963.

Co-authored-by: multica-agent <github@multica.ai>

* fix(agents): scope member invocation-target cleanup to one workspace (MUL-3963)

张大彪 3rd review — cross-workspace permission bug + comment nits:

- DeleteAgentInvocationTargetsByMember was a GLOBAL delete by user id, so
  removing a user from workspace A also wiped their member-target grants on
  agents in workspace B. Scoped it to a single workspace by joining through
  agent.workspace_id; revokeAndRemoveMember now passes (workspaceID, userID).
- Regression test TestRevokeMember_InvocationTargetCleanupIsWorkspaceScoped:
  same user allow-listed by agents in two workspaces; removal from one leaves
  the other workspace's target intact.
- Nits: refreshed the remaining stale "originator == agent.owner_id" /
  "owner-vs-originator" comments — CreateRetryTask (agent.sql, regenerated),
  and the AgentResponse allowlist doc + ListAgents/UpdateAgent redaction
  rationale in agent.go — to the owner-connection + invocation-permission rule.

Migration 130 applied to the test DB; Go handler/service/composio suites green;
go vet clean.

Refs MUL-3963.

Co-authored-by: multica-agent <github@multica.ai>

---------

Co-authored-by: multica-agent <github@multica.ai>
2026-07-02 16:16:17 +08:00

166 lines
5.5 KiB
Go

// Code generated by sqlc. DO NOT EDIT.
// versions:
// sqlc v1.31.1
// source: agent_invocation_target.sql
package db
import (
"context"
"github.com/jackc/pgx/v5/pgtype"
)
const createAgentInvocationTarget = `-- name: CreateAgentInvocationTarget :exec
INSERT INTO agent_invocation_target (agent_id, target_type, target_id, created_by)
VALUES ($1, $2, $3, $4)
ON CONFLICT (agent_id, target_type, target_id) DO UPDATE SET
created_by = EXCLUDED.created_by,
created_at = now()
`
type CreateAgentInvocationTargetParams struct {
AgentID pgtype.UUID `json:"agent_id"`
TargetType string `json:"target_type"`
TargetID pgtype.UUID `json:"target_id"`
CreatedBy pgtype.UUID `json:"created_by"`
}
// Idempotent upsert: re-adding an existing (agent, target_type, target)
// refreshes created_by/created_at rather than erroring. Callers replace the
// whole set via DeleteAgentInvocationTargets + a series of these, so the
// ON CONFLICT is belt-and-suspenders against races.
func (q *Queries) CreateAgentInvocationTarget(ctx context.Context, arg CreateAgentInvocationTargetParams) error {
_, err := q.db.Exec(ctx, createAgentInvocationTarget,
arg.AgentID,
arg.TargetType,
arg.TargetID,
arg.CreatedBy,
)
return err
}
const deleteAgentInvocationTargets = `-- name: DeleteAgentInvocationTargets :exec
DELETE FROM agent_invocation_target
WHERE agent_id = $1
`
// Clears every target for an agent. Used before re-writing the allow-list so
// the update is a wholesale replace, matching the composio_toolkit_allowlist
// write model.
func (q *Queries) DeleteAgentInvocationTargets(ctx context.Context, agentID pgtype.UUID) error {
_, err := q.db.Exec(ctx, deleteAgentInvocationTargets, agentID)
return err
}
const deleteAgentInvocationTargetsByArchivedRuntimeAgents = `-- name: DeleteAgentInvocationTargetsByArchivedRuntimeAgents :exec
DELETE FROM agent_invocation_target
WHERE agent_id IN (
SELECT id FROM agent WHERE runtime_id = $1 AND archived_at IS NOT NULL
)
`
// Application-layer replacement for the (deliberately absent) agent_id ON
// DELETE CASCADE: removes invocation targets for the archived agents a runtime
// delete is about to hard-delete. MUST run in the same tx as, and BEFORE,
// DeleteArchivedAgentsByRuntime so no orphan target rows survive the agent
// rows they belonged to. Mirrors the agent hard-delete predicate exactly.
func (q *Queries) DeleteAgentInvocationTargetsByArchivedRuntimeAgents(ctx context.Context, runtimeID pgtype.UUID) error {
_, err := q.db.Exec(ctx, deleteAgentInvocationTargetsByArchivedRuntimeAgents, runtimeID)
return err
}
const deleteAgentInvocationTargetsByMember = `-- name: DeleteAgentInvocationTargetsByMember :exec
DELETE FROM agent_invocation_target ait
USING agent a
WHERE ait.agent_id = a.id
AND a.workspace_id = $1
AND ait.target_type = 'member'
AND ait.target_id = $2
`
type DeleteAgentInvocationTargetsByMemberParams struct {
WorkspaceID pgtype.UUID `json:"workspace_id"`
TargetID pgtype.UUID `json:"target_id"`
}
// Removes member-target grants pointing at a leaving user, SCOPED to a single
// workspace. A user may belong to multiple workspaces; removing them from one
// must NOT touch their invocation grants on agents in another workspace. Joins
// through agent (agent_invocation_target has no workspace_id column and no FK)
// to bound the delete to @workspace_id.
func (q *Queries) DeleteAgentInvocationTargetsByMember(ctx context.Context, arg DeleteAgentInvocationTargetsByMemberParams) error {
_, err := q.db.Exec(ctx, deleteAgentInvocationTargetsByMember, arg.WorkspaceID, arg.TargetID)
return err
}
const listAgentInvocationTargets = `-- name: ListAgentInvocationTargets :many
SELECT id, agent_id, target_type, target_id, created_by, created_at FROM agent_invocation_target
WHERE agent_id = $1
ORDER BY target_type ASC, created_at ASC
`
// Agent invocation permission targets (MUL-3963). Rows are the allow-list for
// agents whose permission_mode = 'public_to'. See migration 130.
func (q *Queries) ListAgentInvocationTargets(ctx context.Context, agentID pgtype.UUID) ([]AgentInvocationTarget, error) {
rows, err := q.db.Query(ctx, listAgentInvocationTargets, agentID)
if err != nil {
return nil, err
}
defer rows.Close()
items := []AgentInvocationTarget{}
for rows.Next() {
var i AgentInvocationTarget
if err := rows.Scan(
&i.ID,
&i.AgentID,
&i.TargetType,
&i.TargetID,
&i.CreatedBy,
&i.CreatedAt,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const listAgentInvocationTargetsByAgentIDs = `-- name: ListAgentInvocationTargetsByAgentIDs :many
SELECT id, agent_id, target_type, target_id, created_by, created_at FROM agent_invocation_target
WHERE agent_id = ANY($1::uuid[])
ORDER BY agent_id, target_type ASC, created_at ASC
`
// Batch load for the agent list endpoint so we don't N+1 per agent.
func (q *Queries) ListAgentInvocationTargetsByAgentIDs(ctx context.Context, agentIds []pgtype.UUID) ([]AgentInvocationTarget, error) {
rows, err := q.db.Query(ctx, listAgentInvocationTargetsByAgentIDs, agentIds)
if err != nil {
return nil, err
}
defer rows.Close()
items := []AgentInvocationTarget{}
for rows.Next() {
var i AgentInvocationTarget
if err := rows.Scan(
&i.ID,
&i.AgentID,
&i.TargetType,
&i.TargetID,
&i.CreatedBy,
&i.CreatedAt,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}