Checkpoint: commit all working directory changes

Author: iamh2o

ARCHITECTURE_GUIDANCE.md

@@ -40,7 +40,7 @@ Queue movement is explicit. Material lineage is explicit. Atlas identity linkage
 - Atlas sends accepted material into Bloom through explicit APIs.
 - Bloom stores Atlas linkage through external-object references.
 - Bloom preserves lineage from specimen and container to run.
-- Bloom resolves `run_euid + index_string` to Atlas tenant, order, and TRF.test EUIDs.
+- Bloom resolves `run_euid + flowcell_id + lane + library_barcode` to Atlas tenant, order, and TRF.test EUIDs.
 - Public APIs use EUIDs only.
 
 ## Non-Goals

ATLAS_BLOOM_API_GUIDANCE.md

@@ -40,6 +40,18 @@ Token management endpoints:
 Recommended token scope for Atlas write flows:
 - `internal_rw` (or `admin`)
 
+Atlas integration config fields that must be set in Atlas:
+
+1. `bloom_base_url`
+2. `bloom_api_key_secret_ref`
+3. `bloom_webhook_secret_ref`
+
+Field meanings:
+
+1. `bloom_base_url`: Bloom API base URL Atlas calls.
+2. `bloom_api_key_secret_ref`: Atlas secret reference for the Bloom bearer token.
+3. `bloom_webhook_secret_ref`: Atlas secret reference used to verify Bloom webhook signatures.
+
 ## 2.1 Atlas Lookup Endpoints (Bloom Validation)
 
 Bloom should validate Atlas references using Atlas integration lookup routes first:

bloom_lims/api/v1/__init__.py

@@ -33,8 +33,6 @@
 from .templates import router as templates_router
 from .tracking import router as tracking_router
 from .user_api_tokens import router as user_api_tokens_router
-from .workflows import router as workflows_router
-from .worksets import router as worksets_router
 
 # Main v1 router
 router = APIRouter(prefix="/api/v1", tags=["API v1"])
@@ -56,9 +54,7 @@
 router.include_router(search_router)
 router.include_router(search_v2_router)
 router.include_router(object_creation_router)
-router.include_router(worksets_router)
 router.include_router(tracking_router)
-router.include_router(workflows_router)
 router.include_router(user_api_tokens_router)
 router.include_router(admin_auth_router)
 router.include_router(external_specimens_router)
@@ -90,8 +86,6 @@ async def api_v1_info():
             "search": "/api/v1/search",
             "search_v2": "/api/v1/search/v2",
             "object_creation": "/api/v1/object-creation",
-            "worksets": "/api/v1/worksets",
-            "workflows": "/api/v1/workflows",
             "user_tokens": "/api/v1/user-tokens",
             "admin_auth": "/api/v1/admin/groups",
             "external_specimens": "/api/v1/external/specimens",

bloom_lims/api/v1/admin_auth.py

@@ -7,7 +7,7 @@
 
 from bloom_lims.api.v1.dependencies import APIUser, require_admin
 from bloom_lims.auth.services.groups import GroupService
-from bloom_lims.auth.services.user_api_tokens import UserAPITokenService
+from bloom_lims.auth.services.user_api_tokens import TokenCreateInput, UserAPITokenService
 from bloom_lims.db import BLOOMdb3
 
 router = APIRouter(prefix="/admin", tags=["Admin Auth"])
@@ -17,6 +17,14 @@ class GroupMemberAddRequest(BaseModel):
     user_id: str = Field(..., min_length=1)
 
 
+class AdminIssueTokenRequest(BaseModel):
+    user_id: str = Field(..., min_length=1)
+    token_name: str = Field(..., min_length=3, max_length=120)
+    scope: str = Field(default="internal_ro")
+    expires_in_days: int = Field(default=30, ge=1, le=3650)
+    note: str | None = None
+
+
 def _require_id(value: str | None, *, field_name: str) -> str:
     normalized = str(value or "").strip()
     if not normalized:
@@ -88,17 +96,35 @@ async def add_group_member(
     bdb = BLOOMdb3(app_username=user.email)
     try:
         service = GroupService(bdb.session)
+        existing = {
+            str(member.user_id): member
+            for member in service.list_group_members(group_code=group_code)
+        }.get(member_user_id)
+
         member = service.add_user_to_group(
             group_code=group_code,
             user_id=member_user_id,
             added_by=actor_user_id,
         )
+
+        if existing is None:
+            result = "added"
+            message = f"Added {member_user_id} to {group_code}"
+        elif existing.is_active:
+            result = "exists"
+            message = f"{member_user_id} is already active in {group_code}"
+        else:
+            result = "reactivated"
+            message = f"Reactivated {member_user_id} membership in {group_code}"
+
         return {
             "id": str(member.id),
             "group_id": str(member.group_id),
             "group_code": member.group_code,
             "user_id": str(member.user_id),
             "is_active": member.is_active,
+            "result": result,
+            "message": message,
         }
     except ValueError as exc:
         raise HTTPException(status_code=404, detail=str(exc)) from exc
@@ -164,6 +190,49 @@ async def list_admin_user_tokens(user: APIUser = Depends(require_admin)):
         bdb.close()
 
 
+@router.post("/user-tokens/issue")
+async def issue_admin_user_token(
+    payload: AdminIssueTokenRequest,
+    user: APIUser = Depends(require_admin),
+):
+    actor_user_id = _require_id(user.user_id, field_name="authenticated user_id")
+    owner_user_id = _require_id(payload.user_id, field_name="user_id")
+    bdb = BLOOMdb3(app_username=user.email)
+    try:
+        service = UserAPITokenService(bdb.session)
+        service.groups.ensure_system_groups()
+        created = service.create_token(
+            owner_user_id=owner_user_id,
+            actor_user_id=actor_user_id,
+            actor_roles=user.roles,
+            actor_groups=user.groups,
+            payload=TokenCreateInput(
+                token_name=payload.token_name,
+                scope=payload.scope,
+                expires_in_days=payload.expires_in_days,
+                note=payload.note,
+            ),
+        )
+        return {
+            "token": {
+                "token_id": str(created.token.id),
+                "user_id": str(created.token.user_id),
+                "token_name": created.token.token_name,
+                "token_prefix": created.token.token_prefix,
+                "scope": created.token.scope,
+                "status": created.revision.status,
+                "expires_at": created.revision.expires_at.isoformat(),
+                "created_at": created.token.created_at.isoformat() if created.token.created_at else None,
+            },
+            "plaintext_token": created.plaintext_token,
+            "message": "Store this token now; it will not be shown again.",
+        }
+    except PermissionError as exc:
+        raise HTTPException(status_code=403, detail=str(exc)) from exc
+    finally:
+        bdb.close()
+
+
 @router.delete("/user-tokens/{token_id}")
 async def revoke_admin_user_token(
     token_id: str,
@@ -224,4 +293,3 @@ async def get_admin_token_usage(
         }
     finally:
         bdb.close()
-

bloom_lims/api/v1/atlas_bridge.py

@@ -6,7 +6,7 @@
 
 from fastapi import APIRouter, Depends, Header, HTTPException
 
-from bloom_lims.api.v1.dependencies import APIUser, require_external_token_auth
+from bloom_lims.api.v1.dependencies import APIUser, require_external_atlas_api_enabled
 from bloom_lims.auth.rbac import Permission
 from bloom_lims.integrations.atlas.service import AtlasDependencyError, AtlasService
 from bloom_lims.schemas.atlas_bridge import (
@@ -20,7 +20,7 @@
 router = APIRouter(prefix="/external/atlas", tags=["External Atlas"])
 
 
-def require_external_write(user: APIUser = Depends(require_external_token_auth)) -> APIUser:
+def require_external_write(user: APIUser = Depends(require_external_atlas_api_enabled)) -> APIUser:
     if not user.has_permission(Permission.BLOOM_WRITE):
         raise HTTPException(status_code=403, detail="Write permission required")
     return user

bloom_lims/api/v1/beta_lab.py

@@ -6,7 +6,11 @@
 
 from fastapi import APIRouter, Depends, Header, HTTPException, Query
 
-from bloom_lims.api.v1.dependencies import APIUser, require_external_token_auth
+from bloom_lims.api.v1.dependencies import (
+    APIUser,
+    require_external_atlas_api_enabled,
+    require_external_ursa_api_enabled,
+)
 from bloom_lims.auth.rbac import Permission
 from bloom_lims.domain.beta_lab import BetaLabService
 from bloom_lims.schemas.beta_lab import (
@@ -33,13 +37,21 @@
 
 
 def require_external_write(
-    user: APIUser = Depends(require_external_token_auth),
+    user: APIUser = Depends(require_external_atlas_api_enabled),
 ) -> APIUser:
     if not user.has_permission(Permission.BLOOM_WRITE):
         raise HTTPException(status_code=403, detail="Write permission required")
     return user
 
 
+def require_external_ursa_read(
+    user: APIUser = Depends(require_external_ursa_api_enabled),
+) -> APIUser:
+    if not user.has_permission(Permission.BLOOM_READ):
+        raise HTTPException(status_code=403, detail="Read permission required")
+    return user
+
+
 def _status_for_value_error(exc: ValueError) -> int:
     detail = str(exc).lower()
     if "not found" in detail:
@@ -214,10 +226,9 @@ async def resolve_run_assignment(
     flowcell_id: str = Query(...),
     lane: str = Query(...),
     library_barcode: str = Query(...),
-    user: APIUser = Depends(require_external_token_auth),
+    user: APIUser = Depends(require_external_ursa_read),
 ):
-    _ = user
-    service = BetaLabService(app_username="atlas-beta-resolver")
+    service = BetaLabService(app_username=user.email)
     try:
         return service.resolve_run_assignment(
             run_euid=run_euid,

bloom_lims/api/v1/dependencies.py

@@ -11,6 +11,8 @@
 
 from bloom_lims.auth.rbac import (
     API_ACCESS_GROUP,
+    ENABLE_ATLAS_API_GROUP,
+    ENABLE_URSA_API_GROUP,
     Permission,
     Role,
     effective_permissions,
@@ -273,7 +275,12 @@ async def get_api_user(
             email="api-dev@daylilyinformatics.com",
             user_id="dev-bypass-admin",
             roles=[Role.ADMIN.value],
-            groups=[Role.ADMIN.value, API_ACCESS_GROUP],
+            groups=[
+                Role.ADMIN.value,
+                API_ACCESS_GROUP,
+                ENABLE_ATLAS_API_GROUP,
+                ENABLE_URSA_API_GROUP,
+            ],
             permissions=sorted(permission.value for permission in Permission),
             role=Role.ADMIN.value,
             auth_source="dev_bypass",
@@ -361,6 +368,29 @@ async def require_external_token_auth(user: APIUser = Depends(get_api_user)) ->
     return user
 
 
+def _require_group_membership(user: APIUser, group_code: str) -> APIUser:
+    normalized_required = str(group_code or "").strip().upper()
+    groups = {str(group or "").strip().upper() for group in user.groups}
+    if normalized_required not in groups:
+        raise HTTPException(
+            status_code=403,
+            detail=f"Group membership required: {normalized_required}",
+        )
+    return user
+
+
+async def require_external_atlas_api_enabled(
+    user: APIUser = Depends(require_external_token_auth),
+) -> APIUser:
+    return _require_group_membership(user, ENABLE_ATLAS_API_GROUP)
+
+
+async def require_external_ursa_api_enabled(
+    user: APIUser = Depends(require_external_token_auth),
+) -> APIUser:
+    return _require_group_membership(user, ENABLE_URSA_API_GROUP)
+
+
 def require_permission(permission: Permission | str):
     async def _check(user: APIUser = Depends(get_api_user)) -> APIUser:
         if not user.has_permission(permission):

bloom_lims/api/v1/external_specimens.py

@@ -6,7 +6,7 @@
 
 from fastapi import APIRouter, Depends, Header, HTTPException, Query
 
-from bloom_lims.api.v1.dependencies import APIUser, require_external_token_auth
+from bloom_lims.api.v1.dependencies import APIUser, require_external_atlas_api_enabled
 from bloom_lims.bobjs import BloomObj
 from bloom_lims.db import BLOOMdb3
 from bloom_lims.domain.external_specimens import ExternalSpecimenService
@@ -85,7 +85,7 @@ def _track_specimen_interaction(
 @router.post("", response_model=ExternalSpecimenResponse)
 async def create_external_specimen(
     payload: ExternalSpecimenCreateRequest,
-    user: APIUser = Depends(require_external_token_auth),
+    user: APIUser = Depends(require_external_atlas_api_enabled),
     idempotency_key: str | None = Header(None, alias="Idempotency-Key"),
 ):
     service = ExternalSpecimenService(app_username=user.email)
@@ -131,7 +131,7 @@ async def find_external_specimens_by_reference(
     atlas_tenant_id: str | None = Query(None),
     atlas_trf_euid: str | None = Query(None),
     atlas_test_euid: str | None = Query(None),
-    user: APIUser = Depends(require_external_token_auth),
+    user: APIUser = Depends(require_external_atlas_api_enabled),
 ):
     refs = AtlasReferences(
         trf_euid=trf_euid,
@@ -156,7 +156,7 @@ async def find_external_specimens_by_reference(
 @router.get("/{specimen_euid}", response_model=ExternalSpecimenResponse)
 async def get_external_specimen(
     specimen_euid: str,
-    user: APIUser = Depends(require_external_token_auth),
+    user: APIUser = Depends(require_external_atlas_api_enabled),
 ):
     service = ExternalSpecimenService(app_username=user.email)
     try:
@@ -174,7 +174,7 @@ async def get_external_specimen(
 async def update_external_specimen(
     specimen_euid: str,
     payload: ExternalSpecimenUpdateRequest,
-    user: APIUser = Depends(require_external_token_auth),
+    user: APIUser = Depends(require_external_atlas_api_enabled),
 ):
     service = ExternalSpecimenService(app_username=user.email)
     previous_status: str | None = None