Merge pull request #599 from lbedner/auth-fixes

Auth Fixes

Author: lbedner

CLAUDE.md

@@ -32,7 +32,7 @@ Each generated project includes:
 
 ## Installation
 
-**Current Version**: 0.6.8rc1
+**Current Version**: 0.6.8rc2
 
 ```bash
 pip install aegis-stack

aegis/__init__.py

@@ -2,4 +2,4 @@
 Aegis Stack CLI - Component generation and project management tools.
 """
 
-__version__ = "0.6.8rc1"
+__version__ = "0.6.8rc2"

aegis/commands/add_service.py

@@ -14,7 +14,17 @@
     validate_copier_project,
     validate_git_repository,
 )
-from ..constants import AnswerKeys, ComponentNames, Messages, StorageBackends
+from ..constants import (
+    AnswerKeys,
+    AuthLevels,
+    ComponentNames,
+    Messages,
+    StorageBackends,
+)
+from ..core.auth_service_parser import (
+    is_auth_service_with_options,
+    parse_auth_service_config,
+)
 from ..core.component_utils import (
     extract_base_component_name,
     extract_base_service_name,
@@ -26,6 +36,7 @@
     MIGRATION_SPECS,
     bootstrap_alembic,
     generate_migration,
+    get_services_needing_migrations,
     service_has_migration,
 )
 from ..core.project_map import render_project_map
@@ -162,6 +173,24 @@ def add_service_command(
         base_service = service_base_map[service]
         include_key = AnswerKeys.include_key(base_service)
         if existing_answers.get(include_key) is True:
+            # Special case: auth level upgrades (basic → rbac → org)
+            if base_service == AnswerKeys.SERVICE_AUTH and is_auth_service_with_options(
+                service
+            ):
+                auth_config = parse_auth_service_config(service)
+                current_level = existing_answers.get(
+                    AnswerKeys.AUTH_LEVEL, AuthLevels.BASIC
+                )
+                level_order = {
+                    AuthLevels.BASIC: 0,
+                    AuthLevels.RBAC: 1,
+                    AuthLevels.ORG: 2,
+                }
+                if level_order.get(auth_config.level, 0) > level_order.get(
+                    current_level, 0
+                ):
+                    # Upgrading auth level — don't skip
+                    continue
             already_enabled.append(service)
 
     if already_enabled:
@@ -362,6 +391,18 @@ def add_service_command(
             # Get base service name (strips variant syntax like [langchain,sqlite])
             base_service = service_base_map[service]
 
+            # For auth service, pass auth level data
+            if base_service == AnswerKeys.SERVICE_AUTH and is_auth_service_with_options(
+                service
+            ):
+                auth_config = parse_auth_service_config(service)
+                service_data[AnswerKeys.AUTH_LEVEL] = auth_config.level
+                service_data[AnswerKeys.AUTH_RBAC] = auth_config.level in (
+                    AuthLevels.RBAC,
+                    AuthLevels.ORG,
+                )
+                service_data[AnswerKeys.AUTH_ORG] = auth_config.level == AuthLevels.ORG
+
             # For AI service, use the captured configuration
             if base_service == AnswerKeys.SERVICE_AI:
                 # Use providers from interactive config, or default to openai
@@ -441,6 +482,21 @@ def add_service_command(
                         fg="green",
                     )
 
+        # For auth level upgrades, generate any missing level-specific migrations
+        # (e.g., auth_rbac, auth_org, auth_tokens)
+        updated_answers = updater.answers
+        needed_migrations = get_services_needing_migrations(updated_answers)
+        for migration_service in needed_migrations:
+            if migration_service in MIGRATION_SPECS and not service_has_migration(
+                target_path, migration_service
+            ):
+                migration_path = generate_migration(target_path, migration_service)
+                if migration_path:
+                    typer.secho(
+                        f"   {t('add_service.generated_migration', name=migration_path.name)}",
+                        fg="green",
+                    )
+
         # Auto-run migrations for services that need them
         # Exclude AI service with memory backend (doesn't need migrations)
         ai_needs_migrations = (

aegis/core/manual_updater.py

@@ -38,6 +38,18 @@
     "app/components/backend/api/deps.py",
 }
 
+# Files with Jinja conditionals that depend on auth level (basic/rbac/org).
+# Must be regenerated when upgrading auth level.
+REGENERATE_ON_AUTH_LEVEL_CHANGE = {
+    "app/models/user.py",
+    "app/core/security.py",
+    "app/services/auth/auth_service.py",
+    "app/components/backend/api/auth/router.py",
+    "app/components/backend/api/deps.py",
+    "app/components/frontend/dashboard/modals/auth_modal.py",
+    "app/components/frontend/dashboard/modals/auth_users_tab.py",
+}
+
 
 class UpdateResult(BaseModel):
     """Result of a component update operation."""
@@ -142,7 +154,14 @@ def add_component(
             # Check if already enabled
             include_key = AnswerKeys.include_key(component)
             if self.answers.get(include_key) is True:
-                raise ValueError(f"Component '{component}' is already enabled")
+                # Allow auth level upgrades (basic → rbac → org)
+                is_auth_upgrade = (
+                    component == AnswerKeys.SERVICE_AUTH
+                    and additional_data
+                    and AnswerKeys.AUTH_LEVEL in additional_data
+                )
+                if not is_auth_upgrade:
+                    raise ValueError(f"Component '{component}' is already enabled")
 
             # Merge additional data
             update_data = additional_data or {}
@@ -204,7 +223,15 @@ def add_component(
                     # Check for conflicts
                     if output_path.exists():
                         # Some files have conditional content and must be regenerated
-                        if relative_path in REGENERATE_ON_COMPONENT_CHANGE:
+                        is_auth_upgrade = (
+                            additional_data
+                            and AnswerKeys.AUTH_LEVEL in additional_data
+                            and relative_path in REGENERATE_ON_AUTH_LEVEL_CHANGE
+                        )
+                        if (
+                            relative_path in REGENERATE_ON_COMPONENT_CHANGE
+                            or is_auth_upgrade
+                        ):
                             output_path.write_text(content)
                             verbose_print(f"   Regenerated: {relative_path}")
                             files_modified.append(relative_path)

aegis/core/post_gen_tasks.py

@@ -129,6 +129,13 @@ def get_component_file_mapping() -> dict[str, list[str]]:
             # Frontend dashboard files
             "app/components/frontend/dashboard/cards/auth_card.py",
             "app/components/frontend/dashboard/modals/auth_modal.py",
+            "app/components/frontend/dashboard/modals/auth_users_tab.py",
+            # Org-level files (cleaned up by post_gen if org not selected)
+            "app/models/org.py",
+            "app/components/backend/api/orgs",
+            "app/components/frontend/dashboard/modals/auth_orgs_tab.py",
+            "tests/services/test_org_integration.py",
+            "tests/api/test_org_endpoints.py",
         ],
         AnswerKeys.SERVICE_AI: [
             "app/components/backend/api/ai",

copier.yml

@@ -6,7 +6,7 @@
 # - Update support
 
 _min_copier_version: "9.0.0"
-_version: "0.6.8rc1"
+_version: "0.6.8rc2"
 
 # IMPORTANT: Template content is in subdirectory
 # This allows the template to be recognized as git-tracked (aegis-stack repo root has .git)

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "aegis-stack"
-version = "0.6.8rc1"
+version = "0.6.8rc2"
 description = "A production-ready FastAPI platform with modular components and a built-in control plane. Try: uvx aegis-stack init my-project"
 readme = "README.md"
 requires-python = ">=3.11,<3.15"