Skip to content

Commit 437f28f

Browse files
pinglincursoragent
andcommitted
refactor(artifact): update admin RPCs and add filter support to ListFilesAdmin
- Reformat long RPC signatures with line wrapping for readability - Update AddFilesToKnowledgeBaseAdmin to use file resource names - Update DeleteKnowledgeBaseAdmin docs to describe CASCADE behavior - Update ListFilesAdmin docs to clarify it bypasses per-file FGA checks - Add AIP-160 filter field to ListFilesAdminRequest for filtering by file ID and tags - Change UpdateObject body from "object" to "*" for full request body - Normalize field annotation spacing in file.proto Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent c2f349c commit 437f28f

File tree

4 files changed

+114
-96
lines changed

4 files changed

+114
-96
lines changed

artifact/v1alpha/artifact_private_service.proto

Lines changed: 17 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -126,25 +126,27 @@ service ArtifactPrivateService {
126126
// Reset knowledge base embeddings (admin only)
127127
rpc ResetKnowledgeBaseEmbeddingsAdmin(ResetKnowledgeBaseEmbeddingsAdminRequest) returns (ResetKnowledgeBaseEmbeddingsAdminResponse);
128128

129-
// Add files to knowledge base (admin only)
129+
// List files in a knowledge base without ACL filtering (admin only)
130130
//
131-
// Adds file associations to a target knowledge base by file UIDs.
132-
// Files can belong to multiple KBs (many-to-many relationship).
133-
// Files that already exist in the target KB are skipped (no duplicates).
134-
rpc AddFilesToKnowledgeBaseAdmin(AddFilesToKnowledgeBaseAdminRequest) returns (AddFilesToKnowledgeBaseAdminResponse);
131+
// Lists all files in a knowledge base without per-file FGA permission checks.
132+
// Unlike the public ListFiles endpoint which filters results based on
133+
// can_read_file permission, this admin endpoint returns all files.
134+
// Supports AIP-160 filter expressions for filtering by file ID and tags.
135+
// Used by internal services (e.g., agent-backend) for service-to-service
136+
// file lookups where the calling service handles authorization at its own
137+
// level.
138+
rpc ListFilesAdmin(ListFilesAdminRequest) returns (ListFilesAdminResponse);
135139

136-
// Delete knowledge base (admin only)
140+
// Delete a knowledge base (admin only)
137141
//
138-
// Force deletes a knowledge base even if it contains files. The files remain
139-
// in the file table but lose their KB association (orphaned). Used during
140-
// KB consolidation migrations after files have been moved to another KB.
142+
// Force-deletes a knowledge base and CASCADE removes file-KB associations.
143+
// Used by admin consolidation operations to remove duplicate KBs after moving
144+
// files.
141145
rpc DeleteKnowledgeBaseAdmin(DeleteKnowledgeBaseAdminRequest) returns (DeleteKnowledgeBaseAdminResponse);
142146

143-
// List files in a knowledge base (admin only)
147+
// Add files to a knowledge base (admin only)
144148
//
145-
// Lists all files in a knowledge base without ACL checks. Unlike the public
146-
// ListKnowledgeBaseFiles endpoint which requires authentication context, this
147-
// admin endpoint allows internal services to list files during migrations and
148-
// administrative operations.
149-
rpc ListFilesAdmin(ListFilesAdminRequest) returns (ListFilesAdminResponse);
149+
// Adds file associations to a target KB by file resource names. Files can
150+
// belong to multiple KBs (many-to-many relationship).
151+
rpc AddFilesToKnowledgeBaseAdmin(AddFilesToKnowledgeBaseAdminRequest) returns (AddFilesToKnowledgeBaseAdminResponse);
150152
}

artifact/v1alpha/artifact_public_service.proto

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -333,7 +333,7 @@ service ArtifactPublicService {
333333
rpc UpdateObject(UpdateObjectRequest) returns (UpdateObjectResponse) {
334334
option (google.api.http) = {
335335
patch: "/v1alpha/{object.name=namespaces/*/objects/*}"
336-
body: "object"
336+
body: "*"
337337
};
338338
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
339339
tags: "Artifact"

artifact/v1alpha/knowledge_base.proto

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -381,7 +381,7 @@ message DeleteKnowledgeBaseAdminResponse {
381381
}
382382

383383
// ListFilesAdminRequest represents a request to list files in a knowledge base
384-
// (admin only).
384+
// (admin only, bypasses ACL checks).
385385
message ListFilesAdminRequest {
386386
// The resource name of the knowledge base.
387387
// Format: `namespaces/{namespace}/knowledge-bases/{knowledge_base}`
@@ -393,6 +393,12 @@ message ListFilesAdminRequest {
393393
int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
394394
// Page token for pagination.
395395
string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
396+
// AIP-160 filter expression. Supports the same syntax as the public ListFiles API.
397+
// Examples:
398+
// - `id="file-abc123"` - filter by hash-based file ID
399+
// - `tags:"agent:collection:col-xxx"` - filter by tag
400+
// - `(id="file-a" OR id="file-b") AND tags:"mytag"` - compound filter
401+
string filter = 4 [(google.api.field_behavior) = OPTIONAL];
396402
}
397403

398404
// ListFilesAdminResponse represents a response for listing files (admin only).

openapi/v2/service.swagger.yaml

Lines changed: 89 additions & 79 deletions
Original file line numberDiff line numberDiff line change
@@ -1184,88 +1184,11 @@ paths:
11841184
required: true
11851185
type: string
11861186
pattern: namespaces/[^/]+/objects/[^/]+
1187-
- name: object
1188-
description: |-
1189-
The object to update. The object's `name` field identifies it.
1190-
Format: `namespaces/{namespace}/objects/{object}`
1187+
- name: body
11911188
in: body
11921189
required: true
11931190
schema:
1194-
type: object
1195-
properties:
1196-
id:
1197-
type: string
1198-
description: |-
1199-
Immutable canonical resource ID (e.g., "obj-3k7m9p2w5t1").
1200-
Hash-based, unique within a namespace.
1201-
readOnly: true
1202-
displayName:
1203-
type: string
1204-
description: Human-readable display name (user-provided filename).
1205-
ownerName:
1206-
type: string
1207-
title: |-
1208-
Resource name of the owner namespace.
1209-
Format: `namespaces/{namespace}`
1210-
readOnly: true
1211-
creatorName:
1212-
type: string
1213-
title: |-
1214-
Full resource name of the user who created this object.
1215-
Format: `users/{user}`
1216-
readOnly: true
1217-
createTime:
1218-
type: string
1219-
format: date-time
1220-
description: Object creation time.
1221-
readOnly: true
1222-
updateTime:
1223-
type: string
1224-
format: date-time
1225-
description: Object update time.
1226-
readOnly: true
1227-
size:
1228-
type: string
1229-
format: int64
1230-
description: Size in bytes.
1231-
readOnly: true
1232-
contentType:
1233-
type: string
1234-
description: Content type (MIME type from Content-Type header or file extension).
1235-
readOnly: true
1236-
isUploaded:
1237-
type: boolean
1238-
description: Whether the file has been uploaded to storage.
1239-
readOnly: true
1240-
objectExpireDays:
1241-
type: integer
1242-
format: int32
1243-
description: |-
1244-
Object expiration time in days.
1245-
If set to 0, the object will not be deleted automatically.
1246-
lastModifiedTime:
1247-
type: string
1248-
format: date-time
1249-
description: Last modified time (client-provided metadata).
1250-
deleteTime:
1251-
type: string
1252-
format: date-time
1253-
description: Object delete time (for soft delete). Output only.
1254-
readOnly: true
1255-
slug:
1256-
type: string
1257-
title: |-
1258-
URL-friendly slug derived from display_name.
1259-
Example: "my-document-pdf"
1260-
aliases:
1261-
type: array
1262-
items:
1263-
type: string
1264-
description: Previous slugs for backward compatibility when display_name changes.
1265-
readOnly: true
1266-
title: |-
1267-
The object to update. The object's `name` field identifies it.
1268-
Format: `namespaces/{namespace}/objects/{object}`
1191+
$ref: '#/definitions/UpdateObjectBody'
12691192
tags:
12701193
- Artifact
12711194
x-stage: alpha
@@ -9481,6 +9404,93 @@ definitions:
94819404
allOf:
94829405
- $ref: '#/definitions/Secret'
94839406
description: UpdateNamespaceSecretResponse contains the updated secret.
9407+
UpdateObjectBody:
9408+
type: object
9409+
properties:
9410+
object:
9411+
type: object
9412+
properties:
9413+
id:
9414+
type: string
9415+
description: |-
9416+
Immutable canonical resource ID (e.g., "obj-3k7m9p2w5t1").
9417+
Hash-based, unique within a namespace.
9418+
readOnly: true
9419+
displayName:
9420+
type: string
9421+
description: Human-readable display name (user-provided filename).
9422+
ownerName:
9423+
type: string
9424+
title: |-
9425+
Resource name of the owner namespace.
9426+
Format: `namespaces/{namespace}`
9427+
readOnly: true
9428+
creatorName:
9429+
type: string
9430+
title: |-
9431+
Full resource name of the user who created this object.
9432+
Format: `users/{user}`
9433+
readOnly: true
9434+
createTime:
9435+
type: string
9436+
format: date-time
9437+
description: Object creation time.
9438+
readOnly: true
9439+
updateTime:
9440+
type: string
9441+
format: date-time
9442+
description: Object update time.
9443+
readOnly: true
9444+
size:
9445+
type: string
9446+
format: int64
9447+
description: Size in bytes.
9448+
readOnly: true
9449+
contentType:
9450+
type: string
9451+
description: Content type (MIME type from Content-Type header or file extension).
9452+
readOnly: true
9453+
isUploaded:
9454+
type: boolean
9455+
description: Whether the file has been uploaded to storage.
9456+
readOnly: true
9457+
objectExpireDays:
9458+
type: integer
9459+
format: int32
9460+
description: |-
9461+
Object expiration time in days.
9462+
If set to 0, the object will not be deleted automatically.
9463+
lastModifiedTime:
9464+
type: string
9465+
format: date-time
9466+
description: Last modified time (client-provided metadata).
9467+
deleteTime:
9468+
type: string
9469+
format: date-time
9470+
description: Object delete time (for soft delete). Output only.
9471+
readOnly: true
9472+
slug:
9473+
type: string
9474+
title: |-
9475+
URL-friendly slug derived from display_name.
9476+
Example: "my-document-pdf"
9477+
aliases:
9478+
type: array
9479+
items:
9480+
type: string
9481+
description: Previous slugs for backward compatibility when display_name changes.
9482+
readOnly: true
9483+
title: |-
9484+
The object to update. The object's `name` field identifies it.
9485+
Format: `namespaces/{namespace}/objects/{object}`
9486+
updateMask:
9487+
type: string
9488+
description: The update mask specifies which fields to update.
9489+
description: |-
9490+
UpdateObjectRequest represents a request to update an object.
9491+
Follows AIP-134: resource's `name` field identifies it.
9492+
required:
9493+
- object
94849494
UpdateObjectResponse:
94859495
type: object
94869496
properties:

0 commit comments

Comments
 (0)