Backported Pulse Insights

Author: Aegis Stack

aegis/core/migration_generator.py

@@ -111,6 +111,37 @@ class ServiceMigrationSpec:
             ],
             indexes=[IndexSpec("ix_user_email", ["email"], unique=True)],
         ),
+        # UserOAuthIdentity - links a user to a third-party identity.
+        # One user can have many identities (GitHub + Google). The
+        # (provider, provider_user_id) pair is unique to prevent identity
+        # hijacking across accounts.
+        TableSpec(
+            name="user_oauth_identity",
+            columns=[
+                ColumnSpec("id", "sa.Integer()", nullable=False, primary_key=True),
+                ColumnSpec("user_id", "sa.Integer()", nullable=False),
+                ColumnSpec("provider", "sa.String(32)", nullable=False),
+                # Stored as string to avoid caring whether the provider
+                # uses int IDs (GitHub) or UUIDs (some others).
+                ColumnSpec("provider_user_id", "sa.String(128)", nullable=False),
+                ColumnSpec("provider_username", "sa.String(128)", nullable=True),
+                ColumnSpec("provider_email", "sa.String(255)", nullable=True),
+                ColumnSpec("avatar_url", "sa.String(512)", nullable=True),
+                ColumnSpec("created_at", "sa.DateTime()", nullable=False),
+                ColumnSpec("updated_at", "sa.DateTime()", nullable=False),
+            ],
+            indexes=[
+                IndexSpec(
+                    "uq_user_oauth_identity_provider_pid",
+                    ["provider", "provider_user_id"],
+                    unique=True,
+                ),
+                IndexSpec("ix_user_oauth_identity_user_id", ["user_id"]),
+            ],
+            foreign_keys=[
+                ForeignKeySpec(["user_id"], "user", ["id"]),
+            ],
+        ),
     ],
 )
 
@@ -606,7 +637,9 @@ class ServiceMigrationSpec:
                 ForeignKeySpec(["metric_type_id"], "insight_metric_type", ["id"]),
             ],
         ),
-        # InsightEvent - contextual markers
+        # InsightEvent - contextual markers. The user-coupled
+        # `created_by_user_id` column + FK + index are added by the
+        # `insights_auth_link` migration when auth is also included.
         TableSpec(
             name="insight_event",
             columns=[
@@ -615,11 +648,80 @@ class ServiceMigrationSpec:
                 ColumnSpec("event_type", "sa.String(64)", nullable=False),
                 ColumnSpec("description", "sa.String(1024)", nullable=False),
                 ColumnSpec("metadata", "sa.JSON()", nullable=False, default="{}"),
+                # `origin` distinguishes collector output from user-created
+                # annotations so the API/UI only exposes user rows for editing
+                # and collector cleanups stay scoped to their own rows.
+                ColumnSpec(
+                    "origin", "sa.String(16)", nullable=False, default="'collector'"
+                ),
                 ColumnSpec("created_at", "sa.DateTime()", nullable=False),
             ],
             indexes=[
                 IndexSpec("ix_insight_event_date", ["date"]),
                 IndexSpec("ix_insight_event_type_date", ["event_type", "date"]),
+                IndexSpec("ix_insight_event_origin", ["origin"]),
+                IndexSpec("ix_insight_event_origin_date", ["origin", "date"]),
+            ],
+        ),
+    ],
+)
+
+# Insights + Auth: glue migration that adds the user-FK column to
+# insight_event and creates the user-scoped `insight_goal` table. Only runs
+# when both services are included; runs after both base migrations so the
+# `user` table exists when the FK is created.
+INSIGHTS_AUTH_LINK_MIGRATION = ServiceMigrationSpec(
+    service_name="insights_auth_link",
+    description="Link insight_event/insight_goal to user.id (auth + insights)",
+    tables=[
+        # InsightGoal - per-user metric goals (target value + window/date,
+        # status). Goals are scoped to a user and a project_slug; many goals
+        # per user is supported. See goal_service for progress calculation.
+        TableSpec(
+            name="insight_goal",
+            columns=[
+                ColumnSpec("id", "sa.Integer()", nullable=False, primary_key=True),
+                ColumnSpec("user_id", "sa.Integer()", nullable=False),
+                ColumnSpec("source_project_slug", "sa.String(64)", nullable=False),
+                ColumnSpec("metric_key", "sa.String(64)", nullable=False),
+                ColumnSpec("kind", "sa.String(16)", nullable=False),
+                ColumnSpec("target_value", "sa.Float()", nullable=False),
+                ColumnSpec("window_days", "sa.Integer()", nullable=True),
+                ColumnSpec("target_date", "sa.Date()", nullable=True),
+                ColumnSpec(
+                    "status", "sa.String(16)", nullable=False, default="'active'"
+                ),
+                ColumnSpec("created_at", "sa.DateTime()", nullable=False),
+                ColumnSpec("updated_at", "sa.DateTime()", nullable=False),
+            ],
+            indexes=[
+                IndexSpec("ix_insight_goal_user_id", ["user_id"]),
+                IndexSpec(
+                    "ix_insight_goal_source_project_slug",
+                    ["source_project_slug"],
+                ),
+                IndexSpec("ix_insight_goal_metric_key", ["metric_key"]),
+                IndexSpec("ix_insight_goal_user_status", ["user_id", "status"]),
+                IndexSpec(
+                    "ix_insight_goal_project_metric",
+                    ["source_project_slug", "metric_key"],
+                ),
+            ],
+            foreign_keys=[
+                ForeignKeySpec(["user_id"], "user", ["id"]),
+            ],
+        ),
+    ],
+    alter_tables=[
+        AlterTableSpec(
+            name="insight_event",
+            add_columns=[
+                # Audit trail for user-created events. Null on collector and
+                # CLI-created rows.
+                ColumnSpec("created_by_user_id", "sa.Integer()", nullable=True),
+            ],
+            add_foreign_keys=[
+                ForeignKeySpec(["created_by_user_id"], "user", ["id"]),
             ],
         ),
     ],
@@ -814,6 +916,7 @@ class ServiceMigrationSpec:
     "payment": PAYMENT_MIGRATION,
     "payment_auth_link": PAYMENT_AUTH_LINK_MIGRATION,
     "insights": INSIGHTS_MIGRATION,
+    "insights_auth_link": INSIGHTS_AUTH_LINK_MIGRATION,
 }
 
 # ============================================================================
@@ -867,24 +970,28 @@ def upgrade() -> None:
 
 {% endfor %}
 {% for alter in alter_tables %}
-    # Alter {{ alter.name }} table
+    # Alter {{ alter.name }} table — batch_alter_table is required for
+    # SQLite, which doesn't support ALTER for FK constraints. Postgres
+    # treats it as plain ALTER, so this is portable across both backends.
+    with op.batch_alter_table('{{ alter.name }}') as batch_op:
 {% for column in alter.add_columns %}
-    op.add_column('{{ alter.name }}', sa.Column('{{ column.name }}', {{ column.type }}, nullable={{ column.nullable }}{% if column.server_default %}, server_default={{ column.server_default }}{% endif %}))
+        batch_op.add_column(sa.Column('{{ column.name }}', {{ column.type }}, nullable={{ column.nullable }}{% if column.server_default %}, server_default={{ column.server_default }}{% endif %}))
 {% endfor %}
 {% for fk in alter.add_foreign_keys %}
-    op.create_foreign_key('fk_{{ alter.name }}_{{ fk.columns[0] }}_{{ fk.ref_table }}', '{{ alter.name }}', '{{ fk.ref_table }}', {{ fk.columns }}, {{ fk.ref_columns }})
+        batch_op.create_foreign_key('fk_{{ alter.name }}_{{ fk.columns[0] }}_{{ fk.ref_table }}', '{{ fk.ref_table }}', {{ fk.columns }}, {{ fk.ref_columns }})
 {% endfor %}
 
 {% endfor %}
 
 def downgrade() -> None:
     """Reverse {{ service_name }} migration."""
 {% for alter in alter_tables|reverse %}
+    with op.batch_alter_table('{{ alter.name }}') as batch_op:
 {% for fk in alter.add_foreign_keys|reverse %}
-    op.drop_constraint('fk_{{ alter.name }}_{{ fk.columns[0] }}_{{ fk.ref_table }}', '{{ alter.name }}', type_='foreignkey')
+        batch_op.drop_constraint('fk_{{ alter.name }}_{{ fk.columns[0] }}_{{ fk.ref_table }}', type_='foreignkey')
 {% endfor %}
 {% for column in alter.add_columns|reverse %}
-    op.drop_column('{{ alter.name }}', '{{ column.name }}')
+        batch_op.drop_column('{{ column.name }}')
 {% endfor %}
 {% endfor %}
 {% for table in tables|reverse %}
@@ -1194,7 +1301,8 @@ def get_services_needing_migrations(context: dict[str, Any]) -> list[str]:
 
     # Insights service (always needs database)
     include_insights = context.get("include_insights")
-    if include_insights == "yes" or include_insights is True:
+    include_insights_on = include_insights == "yes" or include_insights is True
+    if include_insights_on:
         services.append("insights")
 
     # Payment service (always needs database)
@@ -1210,6 +1318,12 @@ def get_services_needing_migrations(context: dict[str, Any]) -> list[str]:
     if include_payment_on and include_auth_on:
         services.append("payment_auth_link")
 
+    # Insights + Auth: add insight_event.created_by_user_id FK and
+    # create the user-scoped insight_goal table. Runs after both base
+    # migrations so the `user` table exists when the FK is created.
+    if include_insights_on and include_auth_on:
+        services.append("insights_auth_link")
+
     return services
 
 

aegis/core/post_gen_tasks.py

@@ -493,6 +493,10 @@ def _rename_backend_files(suffix: str) -> set[str]:
         remove_file(project_path, "tests/services/test_auth_service.py")
         remove_file(project_path, "tests/services/test_auth_integration.py")
         remove_file(project_path, "tests/models/test_user.py")
+        # Goal service is auth-coupled (Goal.user_id FK to user table), so its
+        # tests are only meaningful when auth is on. The source file lives
+        # under app/services/insights/ but follows the auth cleanup path.
+        remove_file(project_path, "tests/services/test_goal_service.py")
         # Note: alembic removal is handled below based on whether ANY service needs migrations
 
     # Remove auth org files if org level not selected (but auth is enabled)
@@ -664,6 +668,10 @@ def _rename_backend_files(suffix: str) -> set[str]:
         remove_file(project_path, "tests/services/test_collector_pypi.py")
         remove_file(project_path, "tests/services/test_collector_plausible.py")
         remove_file(project_path, "tests/services/test_collector_reddit.py")
+        # Goal service tests import from app.services.insights, so they
+        # must be removed whenever insights is off — not just when auth is
+        # off (the auth-coupled cleanup above handles the auth-off path).
+        remove_file(project_path, "tests/services/test_goal_service.py")
         remove_file(project_path, "tests/api/test_insights_endpoints.py")
         remove_file(project_path, "tests/test_bulk_response.py")
         remove_file(project_path, "tests/test_cache_integration.py")

aegis/templates/copier-aegis-project/{{ project_slug }}/app/models/user.py.jinja

@@ -1,11 +1,55 @@
 """User data models."""
 
 from datetime import UTC, datetime
+from enum import StrEnum
 
 from pydantic import EmailStr
+from sqlalchemy import Column, String, UniqueConstraint
 from sqlmodel import Field, SQLModel
 
 
+class OAuthProvider(StrEnum):
+    """Supported third-party identity providers. Add a new value here when
+    wiring another provider (Microsoft, Apple, etc.); no DB change needed."""
+
+    GITHUB = "github"
+    GOOGLE = "google"
+
+
+class UserOAuthIdentity(SQLModel, table=True):
+    """Links a User row to a third-party identity.
+
+    One user can have many identities (future: GitHub + Google for the same
+    account). A given (provider, provider_user_id) can only map to one user,
+    enforced by `uq_user_oauth_identity_provider_pid` — prevents a drive-by
+    attacker from hijacking someone's external identity.
+    """
+
+    __tablename__ = "user_oauth_identity"
+    __table_args__ = (
+        UniqueConstraint(
+            "provider", "provider_user_id",
+            name="uq_user_oauth_identity_provider_pid",
+        ),
+    )
+
+    id: int | None = Field(default=None, primary_key=True)
+    user_id: int = Field(foreign_key="user.id", index=True)
+    provider: OAuthProvider = Field(
+        sa_column=Column("provider", String(32), nullable=False),
+    )
+    provider_user_id: str = Field(max_length=128)  # str to support int or uuid
+    provider_username: str | None = Field(default=None, max_length=128)
+    provider_email: str | None = Field(default=None, max_length=255)
+    avatar_url: str | None = Field(default=None, max_length=512)
+    created_at: datetime = Field(
+        default_factory=lambda: datetime.now(UTC).replace(tzinfo=None),
+    )
+    updated_at: datetime = Field(
+        default_factory=lambda: datetime.now(UTC).replace(tzinfo=None),
+    )
+
+
 class PasswordResetToken(SQLModel, table=True):
     """Token for password reset requests."""
 
@@ -53,6 +97,13 @@ class PasswordResetConfirm(SQLModel):
     new_password: str = Field(min_length=8)
 
 
+class ChangePasswordRequest(SQLModel):
+    """Request body for the authenticated change-password endpoint."""
+
+    current_password: str
+    new_password: str = Field(min_length=8)
+
+
 class UserBase(SQLModel):
     """Base user model with shared fields."""
 
@@ -99,3 +150,17 @@ class UserResponse(UserBase):
     last_login: datetime | None = None
     created_at: datetime
     updated_at: datetime | None = None
+    # Whether the account has a local password set. Drives UI decisions like
+    # "can this user safely disconnect an OAuth provider without getting
+    # locked out?". Computed — not a DB column.
+    has_password: bool = False
+
+    @classmethod
+    def from_user(cls, user: "User") -> "UserResponse":
+        """Single constructor so every UserResponse across the API carries
+        the same computed fields. Keep API callers on this, not
+        `model_validate`, to avoid drift."""
+        return cls.model_validate({
+            **user.model_dump(),
+            "has_password": bool(user.hashed_password),
+        })