RBAC - 5

Author: Aegis Stack

aegis/cli/callbacks.py

@@ -200,6 +200,10 @@ def validate_and_resolve_services(
                     service_name="auth",
                     level=auth_config.level,
                 )
+                if auth_config.engine:
+                    from .interactive import set_database_engine_selection
+
+                    set_database_engine_selection(auth_config.engine)
                 typer.echo(f"Auth service: level={auth_config.level}")
             except ValueError as e:
                 typer.secho(f"Invalid auth service syntax: {e}", fg="red", err=True)

aegis/core/auth_service_parser.py

@@ -1,16 +1,20 @@
 """
 Auth service bracket syntax parser.
 
-Parses auth[level] syntax where level is one of: basic, rbac.
-Default (plain "auth" without brackets): basic.
+Parses auth[level, engine] syntax where values are detected by type:
+- Levels: basic, rbac, org
+- Engines: sqlite, postgres
+
+Order doesn't matter. Defaults: basic, (no engine override).
 """
 
 from dataclasses import dataclass
 
-from ..constants import AuthLevels
+from ..constants import AuthLevels, StorageBackends
 
-# Valid auth levels
+# Valid values for detection
 LEVELS = set(AuthLevels.ALL)
+ENGINES = {StorageBackends.SQLITE, StorageBackends.POSTGRES}
 
 DEFAULT_LEVEL = AuthLevels.BASIC
 
@@ -20,17 +24,19 @@ class AuthServiceConfig:
     """Parsed auth service configuration."""
 
     level: str
+    engine: str | None = None
 
 
 def parse_auth_service_config(service_string: str) -> AuthServiceConfig:
     """
     Parse auth[...] service string into config.
 
     Args:
-        service_string: Service specification like "auth", "auth[]", or "auth[rbac]"
+        service_string: Service specification like "auth", "auth[rbac]",
+                        or "auth[org,postgres]"
 
     Returns:
-        AuthServiceConfig with level
+        AuthServiceConfig with level and optional engine
 
     Raises:
         ValueError: If service string is invalid or has unknown values
@@ -65,15 +71,40 @@ def parse_auth_service_config(service_string: str) -> AuthServiceConfig:
     if not bracket_content:
         return AuthServiceConfig(level=DEFAULT_LEVEL)
 
-    # Single value expected
-    level = bracket_content.lower()
+    # Split by comma and categorize
+    values = [v.strip().lower() for v in bracket_content.split(",") if v.strip()]
+
+    found_levels: list[str] = []
+    found_engines: list[str] = []
+
+    for value in values:
+        if value in LEVELS:
+            found_levels.append(value)
+        elif value in ENGINES:
+            found_engines.append(value)
+        else:
+            raise ValueError(
+                f"Unknown value '{value}' in auth[...] syntax. "
+                f"Valid levels: {', '.join(sorted(LEVELS))}. "
+                f"Valid engines: {', '.join(sorted(ENGINES))}."
+            )
+
+    if len(found_levels) > 1:
+        raise ValueError(
+            f"Cannot specify multiple levels: {', '.join(found_levels)}. "
+            f"Choose one of: {', '.join(sorted(LEVELS))}."
+        )
 
-    if level not in LEVELS:
+    if len(found_engines) > 1:
         raise ValueError(
-            f"Unknown auth level '{level}'. Valid levels: {', '.join(sorted(LEVELS))}."
+            f"Cannot specify multiple engines: {', '.join(found_engines)}. "
+            f"Choose one of: {', '.join(sorted(ENGINES))}."
         )
 
-    return AuthServiceConfig(level=level)
+    level = found_levels[0] if found_levels else DEFAULT_LEVEL
+    engine = found_engines[0] if found_engines else None
+
+    return AuthServiceConfig(level=level, engine=engine)
 
 
 def is_auth_service_with_options(service_string: str) -> bool:

aegis/core/migration_generator.py

@@ -63,13 +63,22 @@ class TableSpec:
     foreign_keys: list[ForeignKeySpec] = field(default_factory=list)
 
 
+@dataclass
+class AlterTableSpec:
+    """Specification for altering an existing table (adding columns)."""
+
+    name: str
+    add_columns: list[ColumnSpec]
+
+
 @dataclass
 class ServiceMigrationSpec:
     """Migration specification for a service."""
 
     service_name: str
     tables: list[TableSpec]
     description: str
+    alter_tables: list[AlterTableSpec] = field(default_factory=list)
 
 
 # ============================================================================
@@ -90,7 +99,6 @@ class ServiceMigrationSpec:
                 ColumnSpec(
                     "is_verified", "sa.Boolean()", nullable=False, default="False"
                 ),
-                ColumnSpec("role", "sa.String()", nullable=False, default="'user'"),
                 ColumnSpec("hashed_password", "sa.String()", nullable=False),
                 ColumnSpec("last_login", "sa.DateTime()", nullable=True),
                 ColumnSpec("created_at", "sa.DateTime()", nullable=False),
@@ -101,6 +109,20 @@ class ServiceMigrationSpec:
     ],
 )
 
+AUTH_RBAC_MIGRATION = ServiceMigrationSpec(
+    service_name="auth_rbac",
+    description="RBAC role column for user table",
+    tables=[],
+    alter_tables=[
+        AlterTableSpec(
+            name="user",
+            add_columns=[
+                ColumnSpec("role", "sa.String()", nullable=False, default="'user'"),
+            ],
+        ),
+    ],
+)
+
 ORG_MIGRATION = ServiceMigrationSpec(
     service_name="auth_org",
     description="Organization and membership tables",
@@ -418,6 +440,7 @@ class ServiceMigrationSpec:
 # Registry of all service migrations
 MIGRATION_SPECS: dict[str, ServiceMigrationSpec] = {
     "auth": AUTH_MIGRATION,
+    "auth_rbac": AUTH_RBAC_MIGRATION,
     "auth_org": ORG_MIGRATION,
     "ai": AI_MIGRATION,
     "ai_voice": VOICE_MIGRATION,
@@ -449,7 +472,7 @@ class ServiceMigrationSpec:
 
 
 def upgrade() -> None:
-    """Create {{ service_name }} service tables."""
+    """{{ upgrade_description }}"""
 {% for table in tables %}
     # Create {{ table.name }} table
     op.create_table(
@@ -472,10 +495,22 @@ def upgrade() -> None:
     op.create_index(op.f('{{ index.name }}'), '{{ table.name }}', {{ index.columns }}{% if index.unique %}, unique=True{% endif %})
 {% endfor %}
 
+{% endfor %}
+{% for alter in alter_tables %}
+    # Alter {{ alter.name }} table
+{% for column in alter.add_columns %}
+    op.add_column('{{ alter.name }}', sa.Column('{{ column.name }}', {{ column.type }}, nullable={{ column.nullable }}{% if column.server_default %}, server_default={{ column.server_default }}{% endif %}))
+{% endfor %}
+
 {% endfor %}
 
 def downgrade() -> None:
-    """Drop {{ service_name }} service tables."""
+    """Reverse {{ service_name }} migration."""
+{% for alter in alter_tables|reverse %}
+{% for column in alter.add_columns|reverse %}
+    op.drop_column('{{ alter.name }}', '{{ column.name }}')
+{% endfor %}
+{% endfor %}
 {% for table in tables|reverse %}
 {% for index in table.indexes %}
     op.drop_index(op.f('{{ index.name }}'), table_name='{{ table.name }}')
@@ -604,14 +639,48 @@ def _render_migration(
             }
         )
 
+    # Prepare alter table data for template
+    alter_tables_data = []
+    for alter in spec.alter_tables:
+        cols = []
+        for col in alter.add_columns:
+            # For add_column, server_default needs sa.text() wrapper
+            server_default = None
+            if col.default is not None:
+                server_default = f'sa.text("{col.default}")'
+            cols.append(
+                {
+                    "name": col.name,
+                    "type": col.type,
+                    "nullable": col.nullable,
+                    "server_default": server_default,
+                }
+            )
+        alter_tables_data.append(
+            {
+                "name": alter.name,
+                "add_columns": cols,
+            }
+        )
+
+    # Build upgrade description
+    if spec.tables and spec.alter_tables:
+        upgrade_description = f"Create and alter {spec.service_name} service tables."
+    elif spec.alter_tables:
+        upgrade_description = f"Add {spec.service_name} columns."
+    else:
+        upgrade_description = f"Create {spec.service_name} service tables."
+
     return template.render(
         description=spec.description,
         service_name=spec.service_name,
+        upgrade_description=upgrade_description,
         revision=revision,
         down_revision=down_revision,
         down_revision_repr=f"'{down_revision}'" if down_revision else "None",
         create_date=datetime.now(UTC).strftime("%Y-%m-%d %H:%M:%S.%f"),
         tables=tables_data,
+        alter_tables=alter_tables_data,
     )
 
 
@@ -693,14 +762,24 @@ def get_services_needing_migrations(context: dict[str, Any]) -> list[str]:
     """
     services = []
 
-    # Auth service
+    # Auth service (base user table)
     include_auth = context.get("include_auth")
     if include_auth == "yes" or include_auth is True:
         services.append("auth")
 
+    # Auth RBAC columns (rbac or org level)
+    include_auth_rbac = context.get("include_auth_rbac")
+    auth_level = context.get("auth_level")
+    rbac_enabled = (
+        include_auth_rbac == "yes"
+        or include_auth_rbac is True
+        or (isinstance(auth_level, str) and auth_level.lower() in ("rbac", "org"))
+    )
+    if (include_auth == "yes" or include_auth is True) and rbac_enabled:
+        services.append("auth_rbac")
+
     # Auth org tables (only with org-level auth)
     include_auth_org = context.get("include_auth_org")
-    auth_level = context.get("auth_level")
     org_enabled = (
         include_auth_org == "yes"
         or include_auth_org is True

aegis/core/service_resolver.py

@@ -7,6 +7,7 @@
 
 from ..constants import AnswerKeys, ComponentNames, StorageBackends
 from .ai_service_parser import is_ai_service_with_options, parse_ai_service_config
+from .auth_service_parser import is_auth_service_with_options, parse_auth_service_config
 from .component_utils import extract_base_component_name, extract_base_service_name
 from .dependency_resolver import DependencyResolver
 from .services import SERVICES, get_service_dependencies
@@ -59,6 +60,19 @@ def resolve_service_dependencies(
                     )
                     service_required_components.add(database_component)
 
+            # Handle Auth service with engine override (from bracket syntax)
+            if base_service == AnswerKeys.SERVICE_AUTH and is_auth_service_with_options(
+                service
+            ):
+                auth_config = parse_auth_service_config(service)
+                if auth_config.engine:
+                    # Replace plain "database" with engine-specific version
+                    service_required_components.discard(ComponentNames.DATABASE)
+                    database_component = (
+                        f"{ComponentNames.DATABASE}[{auth_config.engine}]"
+                    )
+                    service_required_components.add(database_component)
+
         # Convert to list and resolve component-to-component dependencies
         component_list = list(service_required_components)
         resolved_components = DependencyResolver.resolve_dependencies(component_list)

aegis/i18n/locales/en.py

@@ -112,8 +112,8 @@
     "interactive.auth_level_label": "Authentication Level:",
     "interactive.auth_select": "What type of authentication?",
     "interactive.auth_basic": "Basic - Email/password login",
-    "interactive.auth_rbac": "With Roles - + role-based access control",
-    "interactive.auth_org": "With Organizations - + multi-tenant support",
+    "interactive.auth_rbac": "With Roles - + role-based access control (experimental)",
+    "interactive.auth_org": "With Organizations - + multi-tenant support (experimental)",
     "interactive.auth_selected": "Selected auth level: {level}",
     "interactive.auth_db_required": "Database Required:",
     "interactive.auth_db_reason": (

aegis/i18n/locales/zh.py

@@ -88,8 +88,8 @@
     "interactive.auth_level_label": "认证级别：",
     "interactive.auth_select": "需要哪种认证方式？",
     "interactive.auth_basic": "基础认证 — 邮箱 + 密码登录",
-    "interactive.auth_rbac": "角色权限 — 基于角色的访问控制（RBAC）",
-    "interactive.auth_org": "多租户 — 组织级别的权限隔离",
+    "interactive.auth_rbac": "角色权限 — 基于角色的访问控制（实验性）",
+    "interactive.auth_org": "多租户 — 组织级别的权限隔离（实验性）",
     "interactive.auth_selected": "认证级别：{level}",
     "interactive.auth_db_required": "需要数据库：",
     "interactive.auth_db_reason": "认证服务需要数据库来存储用户数据",

aegis/templates/copier-aegis-project/{{ project_slug }}/.env.example.jinja

@@ -108,6 +108,9 @@ LOGFIRE_TOKEN=
 # LOGFIRE_PROJECT_URL=https://logfire.pydantic.dev/myorg/myproject
 {%- endif %}
 
+# Authentication (set to false only for local development without login)
+AUTH_ENABLED=true
+
 # API Keys and Secrets (add as needed)
 # SECRET_KEY=your-super-secret-key-here
 # API_KEY=your-api-key-here

aegis/templates/copier-aegis-project/{{ project_slug }}/Makefile.jinja

@@ -188,6 +188,13 @@ migrate-history: ## Show migration history
 	@echo "Migration history:"
 	@docker compose exec webserver uv run alembic -c alembic/alembic.ini history --verbose
 
+migrate-fix: ## Auto-fix schema mismatches after upgrade (safe: only adds, never drops)
+	@echo "Checking for schema mismatches..."
+	@docker compose exec webserver uv run python -m app.cli.migrate_fix
+	@echo "Applying fix migration..."
+	@docker compose exec webserver uv run alembic -c alembic/alembic.ini upgrade head
+	@echo "Schema fix complete"
+
 migrate-reset: ## Reset database (WARNING: destructive)
 	@echo "WARNING: This will destroy all data in the database!"
 	@read -p "Are you sure? Type 'yes' to continue: " confirm && [ "$$confirm" = "yes" ] || exit 1