🗨️ feat: Granular Prompt Permissions via ACL and Permission Bits

feat: Implement prompt permissions management and access control middleware

fix: agent deletion process to remove associated permissions and ACL entries

fix: Import Permissions for enhanced access control in GrantAccessDialog

feat: use PromptGroup for access control

- Added migration script for PromptGroup permissions, categorizing groups into global view access and private groups.
- Created unit tests for the migration script to ensure correct categorization and permission granting.
- Introduced middleware for checking access permissions on PromptGroups and prompts via their groups.
- Updated routes to utilize new access control middleware for PromptGroups.
- Enhanced access role definitions to include roles specific to PromptGroups.
- Modified ACL entry schema and types to accommodate PromptGroup resource type.
- Updated data provider to include new access role identifiers for PromptGroups.

feat: add generic access management dialogs and hooks for resource permissions

fix: remove duplicate imports in FileContext component

fix: remove duplicate mongoose dependency in package.json

feat: add access permissions handling for dynamic resource types and add promptGroup roles

feat: implement centralized role localization and update access role types

refactor: simplify author handling in prompt group routes and enhance ACL checks

feat: implement addPromptToGroup functionality and update PromptForm to use it

feat: enhance permission handling in ChatGroupItem, DashGroupItem, and PromptForm components

chore: rename migration script for prompt group permissions and update package.json scripts

chore: update prompt tests

packages/data-provider/src/accessPermissions.ts

@@ -38,11 +38,17 @@ export const PERMISSION_BITS = {
 /**
  * Standard access role IDs
  */
-export const ACCESS_ROLE_IDS = {
-  AGENT_VIEWER: 'agent_viewer',
-  AGENT_EDITOR: 'agent_editor',
-  AGENT_OWNER: 'agent_owner', // Future use
-} as const;
+export enum ACCESS_ROLE_IDS {
+  AGENT_VIEWER = 'agent_viewer',
+  AGENT_EDITOR = 'agent_editor',
+  AGENT_OWNER = 'agent_owner', // Future use
+  PROMPT_VIEWER = 'prompt_viewer',
+  PROMPT_EDITOR = 'prompt_editor',
+  PROMPT_OWNER = 'prompt_owner',
+  PROMPTGROUP_VIEWER = 'promptGroup_viewer',
+  PROMPTGROUP_EDITOR = 'promptGroup_editor',
+  PROMPTGROUP_OWNER = 'promptGroup_owner',
+}
 
 // ===== ZOD SCHEMAS =====
 
@@ -58,7 +64,7 @@ export const principalSchema = z.object({
   avatar: z.string().optional(), // for user and group types
   description: z.string().optional(), // for group type
   idOnTheSource: z.string().optional(), // Entra ID for users/groups
-  accessRoleId: z.string().optional(), // Access role ID for permissions
+  accessRoleId: z.nativeEnum(ACCESS_ROLE_IDS).optional(), // Access role ID for permissions
   memberCount: z.number().optional(), // for group type
 });
 
@@ -66,7 +72,7 @@ export const principalSchema = z.object({
  * Access role schema - defines named permission sets
  */
 export const accessRoleSchema = z.object({
-  accessRoleId: z.string(),
+  accessRoleId: z.nativeEnum(ACCESS_ROLE_IDS),
   name: z.string(),
   description: z.string().optional(),
   resourceType: z.string().default('agent'),

packages/data-provider/src/api-endpoints.ts

@@ -148,6 +148,8 @@ export const config = () => '/api/config';
 
 export const prompts = () => '/api/prompts';
 
+export const addPromptToGroup = (groupId: string) => `/api/prompts/groups/${groupId}/prompts`;
+
 export const assistants = ({
   path = '',
   options,

packages/data-provider/src/data-service.ts

@@ -727,6 +727,13 @@ export function createPrompt(payload: t.TCreatePrompt): Promise<t.TCreatePromptR
   return request.post(endpoints.postPrompt(), payload);
 }
 
+export function addPromptToGroup(
+  groupId: string,
+  payload: t.TCreatePrompt,
+): Promise<t.TCreatePromptResponse> {
+  return request.post(endpoints.addPromptToGroup(groupId), payload);
+}
+
 export function updatePromptGroup(
   variables: t.TUpdatePromptGroupVariables,
 ): Promise<t.TUpdatePromptGroupResponse> {

packages/data-provider/src/types/queries.ts

@@ -1,4 +1,5 @@
 import type { InfiniteData } from '@tanstack/react-query';
+import type { ACCESS_ROLE_IDS } from '../accessPermissions';
 import type * as a from '../types/agents';
 import type * as s from '../schemas';
 import type * as t from '../types';
@@ -158,7 +159,7 @@ export type PrincipalSearchResponse = {
 };
 
 export type AccessRole = {
-  accessRoleId: string;
+  accessRoleId: ACCESS_ROLE_IDS;
   name: string;
   description: string;
   permBits: number;

packages/data-schemas/package.json

@@ -66,7 +66,6 @@
     "lodash": "^4.17.21",
     "meilisearch": "^0.38.0",
     "mongoose": "^8.12.1",
-    "mongoose": "^8.12.1",
     "nanoid": "^3.3.7",
     "winston": "^3.17.0",
     "winston-daily-rotate-file": "^5.0.0"

packages/data-schemas/src/methods/accessRole.ts

@@ -124,6 +124,50 @@ export function createAccessRoleMethods(mongoose: typeof import('mongoose')) {
         resourceType: 'agent',
         permBits: RoleBits.OWNER,
       },
+      // Prompt access roles
+      {
+        accessRoleId: 'prompt_viewer',
+        name: 'com_ui_role_viewer',
+        description: 'com_ui_role_viewer_desc',
+        resourceType: 'prompt',
+        permBits: RoleBits.VIEWER,
+      },
+      {
+        accessRoleId: 'prompt_editor',
+        name: 'com_ui_role_editor',
+        description: 'com_ui_role_editor_desc',
+        resourceType: 'prompt',
+        permBits: RoleBits.EDITOR,
+      },
+      {
+        accessRoleId: 'prompt_owner',
+        name: 'com_ui_role_owner',
+        description: 'com_ui_role_owner_desc',
+        resourceType: 'prompt',
+        permBits: RoleBits.OWNER,
+      },
+      // PromptGroup access roles
+      {
+        accessRoleId: 'promptGroup_viewer',
+        name: 'com_ui_role_viewer',
+        description: 'com_ui_role_viewer_desc',
+        resourceType: 'promptGroup',
+        permBits: RoleBits.VIEWER,
+      },
+      {
+        accessRoleId: 'promptGroup_editor',
+        name: 'com_ui_role_editor',
+        description: 'com_ui_role_editor_desc',
+        resourceType: 'promptGroup',
+        permBits: RoleBits.EDITOR,
+      },
+      {
+        accessRoleId: 'promptGroup_owner',
+        name: 'com_ui_role_owner',
+        description: 'com_ui_role_owner_desc',
+        resourceType: 'promptGroup',
+        permBits: RoleBits.OWNER,
+      },
     ];
 
     const result: Record<string, IAccessRole> = {};

packages/data-schemas/src/schema/accessRole.ts

@@ -16,7 +16,7 @@ const accessRoleSchema = new Schema<IAccessRole>(
     description: String,
     resourceType: {
       type: String,
-      enum: ['agent', 'project', 'file'],
+      enum: ['agent', 'project', 'file', 'prompt', 'promptGroup'],
       required: true,
       default: 'agent',
     },

packages/data-schemas/src/schema/aclEntry.ts

@@ -25,7 +25,7 @@ const aclEntrySchema = new Schema<IAclEntry>(
     },
     resourceType: {
       type: String,
-      enum: ['agent', 'project', 'file'],
+      enum: ['agent', 'project', 'file', 'prompt', 'promptGroup'],
       required: true,
     },
     resourceId: {

packages/data-schemas/src/types/aclEntry.ts

@@ -7,8 +7,8 @@ export type AclEntry = {
   principalId?: Types.ObjectId;
   /** The model name for the principal ('User' or 'Group') */
   principalModel?: 'User' | 'Group';
-  /** The type of resource ('agent', 'project', 'file') */
-  resourceType: 'agent' | 'project' | 'file';
+  /** The type of resource ('agent', 'project', 'file', 'prompt', 'promptGroup') */
+  resourceType: 'agent' | 'project' | 'file' | 'prompt' | 'promptGroup';
   /** The ID of the resource */
   resourceId: Types.ObjectId;
   /** Permission bits for this entry */